https://www.agilent.com/cs/library/...our_lab_for_a_data_integrity_audit_Wright.pdf
Data Integrity (DI) questions:
• Is electronic data available?
• Is electronic data reviewed?
• Is meta data (audit trails) reviewed regularly?
• Are there clear segregation of duties?
• Has the system been validated for its intended use?
Internal Data Review External (Auditor)
Data Review
• Analysis performed as per the monograph.
• Sequence information correct.
• Chromatography is typical.
• SST acceptance criteria achieved.
• NO “conditioning” or “test” injections using the sample (use a standard or control sample if specified by your procedures and monograph).
• Correct integration (pay attention to MANUAL integration).
• Chromatography appropriately scaled.
• Individual results duplicate and meet specification.
• Check the sequence and individual injection audit trail - any atypical / suspect activity?
• Data processing: - Do the audit trail comments provide traceability? - Can the reprocessing be justified?
• Check electronic results within the CDS match results reported on hard copy chromatography or in LIMS / SAP systems.
Administration control
• Individual user profiles and passwords.
• Clear segregation of duties within user profiles.
• Restricted privileges for user (cant delete / over-write / move).
• Audit trail functionality switched ON.
• Date / time functionality locked by IT.
• Lab Demo – User log-on (multiple), date / time locked, cant delete data.
• Data recall – Electronic sequence / data file recall in lab using staff member. Data recall needs to be fast and efficient.
• Data review – Chromatography scaling, integration and electronic results.
• Audit trail review – looking for suspicious activity, justification of processing.
• Training – assess staff competency with CDS in lab. Make sure staff are trained to interact with the auditor. Have a CDS superuser present during the lab inspection.
• Query search –assurance that batch hasn’t been analysed multiple times as part of an investigation.
https://www.fda.gov/downloads/About...fMedicalProductsandTobacco/CDER/UCM561491.pdf
Current expectations and guidance, including data integrity and compliance with CGMP
Regular Review Scheduled Review
• Overwriting
• Aborting runs
• Testing into compliance
• Deleting
• Backdating
• Altering data
• (not an all-inclusive list)
How are you fulfilling the FDA's Audit Trail expectations for Data Integrity?
Regular Review Scheduled Review
the change history of finished product test results,
changes to sample run sequences,
changes to sample identification, and
changes to critical process parameters
• Look for unusual login activity
• Monitor record deletion (if such an activity is not permissible)
• Monitor changes to critical system configuration records
• Monitor user role changes
• Monitor abnormal, disallowed or unusual record state changes
• Monitor system logs for critical application errors and correlate them with user activity
• And much more….
http://www.cbinet.com/sites/default/files/files/Longden_Heather_pres.pdf
Audit trails tell us WHO did WHAT, WHEN automatically
Audit trails tell us WHY as defined by the user
They have two primary purposes:
– Give a history to the data, to help decide if it can be trusted
– They should deter wrongdoing (think of CCTV)
o Without review, they are not a deterrent
Audit trail record…at least the following information
Name of the person who made – the change to the data; – Description of the change; – Time and date of the change; – Justification for the change;
• the change history of finished product test results,
• changes to sample run sequences,
• changes to sample identification,
• changes to critical process parameters. ( not “processing” parameters)
– routine scheduled audit trail review based on the complexity of the system and its intended use • include discrete event logs, history files, database queries or reports
• require specific training in evaluating the configuration settings and reviewing electronic data and metadata, such as audit trails, for individual computerized systems
• correct use of Admin functionalities
• determine if any retesting or additional testing of new functionality is required
• Deleting Data only by designated administrators and WHY
•
• Creating projects only by designated administrators
• Regular archiving of projects / altering access or status of projects
• Altering System Policies User creation patterns
• Password resetting activity
• Alteration of systems
• Changes to roles
How are you fulfilling the FDA's Audit Trail expectations for Data Integrity?
• Look for unusual login activity
• Monitor record deletion (if such an activity is not permissible)
• Monitor changes to critical system configuration records
• Monitor user role changes
• Monitor abnormal, disallowed or unusual record state changes
• Monitor system logs for critical application errors and correlate them with user activity
• And much more...
http://microsep.co.za/wp-content/up...-Frylinck-Empower-Electroninc-Data-Review.pdf
SYSTEM AUDIT TRAIL
• Deleting data only by designated administrators and WHY
• Creating projects only by designated administrators
• Regular archiving of projects / altering access or status of projects
• Altering System Policies
• User creation patterns
• Password resetting activity
• Unauthorised access to system
• Alteration of systems
• Changes to roles
• Access to system at non working time
• Restore of Projects and Project Integrity
• Check on performance of IQ (Warning, Error)
• Archive and Removal of Audit Trail
Unsuccesful Attempt to Confirm Identity
PERIODIC AUDIT TRAIL
It’s like an internal audit on the compliance of the system – Find concerns BEFORE the audit –
Find ways to improve the efficiency of systems and processes –
Documented evidence of actively searching for data integrity issues –
Eg Review System Audit Trail for correct use of Admin functionalities
Review major and minor changes to determine if any retesting or additional testing of new functionality is required
– Has it significantly expanded or changed use
– Is the system still in control and in a validated state?
http://www.who.int/medicines/areas/...a-management-practices_QAS15-624_16092015.pdf
Management reviews and regular reporting of quality metrics
• tracking and trending the occurrence of invalid and aberrant data may reveal unforeseen variability in processes and procedures previously believed to be robust, opportunities to enhance analytical procedures and their validation, validation of processes, training of personnel or sourcing of raw materials and components; Working document QAS/15.624 page 13
• regular review of audit trails may reveal incorrect processing of data and help prevent incorrect results from being reported and identify the need for additional training of personnel;
• routine inspections of computerized systems may reveal gaps in security controls that inadvertently allow personnel to access and potentially alter time/date stamps. These findings help raise awareness to management of need to allocate resources to improve computerized systems validation controls;
• monitoring of contract acceptors and tracking and trending of associated quality metrics for these sites help to better identify risks that may indicate the need for more active engagement and allocation of additional resources by the contract giver to ensure quality standards are met.
Read pg.18 onwards
Data Integrity ALCOA+
A Attributable Who acquired the data or performed an action
L Legible Can you read and understand the data entries?
C Contemporaneous Was it documented at the time of the activity
O Original Is is the first recorded observation (or a verified true copy)?
A Accurate Is it scientifically valid with no errors?
+
Complete All data including any repeat or reanalysis performed
Consistent All elements of the analysis are dated/time stamped and in the expected sequence
Enduring Recorded in a permanent, maintainable form for the useful life
Available For review, audit or inspection over the lifetime of the record
http://www.formpipe.com/Global/Life Science/Demo 2017/Data Integrity 2017.pdf
Common Data Integrity Issues
Common passwords :- Analysts share passwords, unable to identify who created or changed a record
User privileges :- System configuration does not adequately define or segregate user levels Users have access to unauthorised functions
Computer System Operational Controls :- Inadequate controls over data Unauthorised access to modify or delete files No automatic saving of files, records not accurate or complete
Processing methods :- Integration parameters not controlled, chromatograms may be re-integrated without correct change process
Audit trails :- Functionality turned off, no complete record of the data life cycle – who modified a file and why
Conflict of interest :- Business process owners granted enhanced security access e.g. system administrator “Unofficial” documentation Recording data first on a scrap of paper then transferring to the official document (e.g. the laboratory notebook)
Failure to review “original data” :-Data and metadata not reviewed together to ensure context is maintained Errors or omissions may be undetected
Inadequate data retention arrangements :- Failure to avoid inadvertent or deliberate alteration or loss throughout the retention period
http://www.pharmacy.tcd.ie/assets/pdf/QPFORUM-Data Integrity-BBuhlmann.pdf
Data Integrity Continuum
System Error (ignore)
Individual Mistake (Sloppiness)
Individual Malfeasance (sleaziness)
Institutional Malfeasance (fraud )
Data Review
Good Documentation Practices - Legible, Contemporaneous, Permanent, Attributable, Traceable, Time/Date Stamped
System Audit Trail Tracks actions of System Administrator Reviewed periodically based on risk Defined in Administrators SOPs
Data Audit Trail Tracks actions of users, reviewers, and approvers Is reviewed when the data is reviewed Defined in User Operational SOPs
https://www.agilent.com/cs/library/...our_lab_for_a_data_integrity_audit_Wright.pdf
http://media.firabcn.es/content/S109015/Presentaciones/coso_anna.pdf
1. Results discarded without explanation
2. Overwriting electronic raw data files for on-going sequences
3. EM plates without evidence of contact (finger prints)
4. Operators with several profiles in a system
5. Dates of # print outs without appropriate correlation
1. Which profiles and privileges are defined?
2. Who could change the data?
3. Is the e-data reviewed, or only paper data?
4. How do you manage your automated IPC controls?
5. Where do you keep your back-ups?
Important Questions and Answers concerning the Audit Trail Review
Important Questions and Answers concerning the Audit Trail Review - ECA Academy
Important Questions and Answers concerning the Audit Trail Review - Part 2 - ECA Academy
Understanding Audit Trail Requirements in Electronic GxP Systems
The audit trail must be:
Automated The audit trail entries must be automatically captured by the computer system whenever an electronic record is created, modified or deleted.
Secure Audit trail data must be stored in a secure manner and must not be editable by any user.
Contemporaneous Each audit trail entry must be time stamped according to a controlled clock which cannot be altered. The time should either be based on central server time or a local time, so long as it is clear in which time zone the entry was performed.
Traceable Each audit trail entry must be attributable to the individual responsible for the direct data input. Updates made to data records must not obscure previous values and where required by regulation the reason for changing the data must also be recorded.
Archived The audit trail must be retained as long as the electronic record is required to be stored.
Available The audit trail must be available for agency review and copying.
Audit trail content and reason it is required:
Identification of the User making the entry This is needed to ensure traceability. This could be a user’s unique ID, however there should be a way of correlating this ID to the person.
Date and Time Stamp This is a critical element in documenting a sequence of events and vital to establishing an electronic record’s trustworthiness and reliability. It can also be effective deterrent to records falsification.
Link to Record This is needed to ensure traceability. This could be the record’s unique ID.
Original Value This is needed in order to be able to have a complete history and to be able reconstruct the sequence of events
New Value
Reason for Change This is only required if stipulated by the regulations pertaining to the audit trailed record. (See below)
Are Digital Signatures Accepted by Lab Regulators? Best Practice ELNs Ensure Validity
http://www.formpipe.com/Global/Life Science/Demo 2017/Data Integrity 2017.pdf
DATA INTEGRITY CHECKLIST