Are your Data Management Policies supporting the GXP compliance?
Understanding the criticality of setting Master Data and Policies
Your Data lifecycle extends across departments and its governance requires good practices to be followed. Understanding the criticality’s of setting common Master Data and policies is very important and extended educational efforts should be considered at corporate level.
When implementing digital solutions for quality processes, GxP activities, the data management policies should apply to any computer software’s involved, all along the data lifecycle, data workflows and related processes, with particular attention to system integrations.
Setting adequate policies for Validation and Data Integrity is crucial to ensure the required corporate quality levels in managing your data and controlling the right functioning of those computerized systems throughout their life.
This article is providing a summary of the key concepts to be considered for validation management and the ones for ensuring proper data integrity policies using computerized system.
Build Comprehensive Validation Policies for the computerized systems involved in your data lifecycle.
The validation policy should be applicable to any computerized system that is deemed to have an impact on GxP activities. Examples of such systems include, but are not limited to, automated manufacturing or laboratory equipment, process control systems, MES, LIMS, regulatory compliance, and document management systems.
The validation cycle should establish documented evidences and provides a high degree of assurance that the systems will operate on day one and will continue to operate along updates and upgrades, amongst all users’ levels, in a reliable and reproducible manner, according to the documented requirements and within a controlled environment.
Key concepts to be applied for computerized system validation management
- Design and manage the system lifecycle under Quality requirements.
The compliant state of the systems must be maintained until the systems are decommissioned. From the first moment, i.e. concept of the system, through implementation and routine operation till complete retirement of the computerized system, appropriate documented procedures must be developed and followed accordingly.
- Adapt the validation lifecycle activities based on the outcome of both Risk and Supplier Assessments.
The validation efforts all along the computer software lifecycle are directly proportional of the outcome of the risk assessment and the supplier assessment.
An audit of the Supplier´s Quality system will provide an excellent baseline to extrapolate the effort required for initial validation and for supervision of the updates, upgrades and good functioning during its entire lifetime.
Additionally, the risk evaluation should consider the system complexity, its maturity level and the functionality required to control the underlying processes, along with the amount of data to be stored, recalled, processed and secured. The architecture of the hardware and the software that comprise the computerized system will also have an impact on the system complexity and must be considered when developing the validation activities. Finally, the configuration of the software application and the software functionalities must also be considered in the validation process and as such during the risk assessment.
- Leverage the supplier involvement throughout the validation lifecycle activities. The supplier may be able to provide a considerable degree of expertise through the process and help reduce the validation activities. Where documents are supplied, those should be reviewed and accepted for use.
Ensure solid Data Integrity Policies that cover your complete Data Life Cycle
These policies should describe responsibilities and activities related to the integrity of your data collection, storage, management and archival on the computerized systems. The necessary measures should be defined to satisfy the data integrity requirements, (see ALCOA definition) and guarantee that data collected and managed are complete, consistent and accurate throughout the entire data life cycle.
Key concepts to be considered to ensure proper data integrity policies using computerized system
- Evaluate the system criticality through a risk assessment to define priorities in reinforcements and liability of the system to be validated
- Assess and address Interfaces during validation to ensure that transfer of data are correct and complete. The interface between the originating system, data acquisition and recording systems should be validated to ensure the accuracy of data. It should always be possible at any time, at any decision level, to easily access the original raw data.
- Incorporate validated checks to ensure the completeness of data acquired, as well as any metadata associated with the data. Ensure that critical data are reviewed by the appropriate user and verified to determine that operations were performed correctly. Any necessary changes to data must be authorized and controlled in accordance with approved procedures.
- Configure and enforce User access controls so that Input of data and changes to computerized records are made only by authorized personnel
- Assigned Individual Login IDs and passwords for all and every staff needing to access and utilize the specific electronic system in order to allow proper traceability. Shared users are not allowed for GxP critical activities.
- Define standard procedure for new users’ settings and requests for new privileges.
- Configure Audit Trail functionalities properly to capture any activities related to the acquisition, deletion, overwriting and changes to data for audit purposes.
- Ensure solid format storage to ensure that data are not vulnerable to manipulation, loss or change. Storage of data must include the entire original data and metadata, including audit trails, using a secure and validated process. The data should be accessible and readable, and its integrity maintained for all the period of archiving
- Define procedures for Backup and copies.They must have the same appropriate levels of controls so as to prohibit unauthorized access to, changes to and deletion of data or their alteration. True copies of dynamic electronic records can be made, with the expectation that the entire content (i.e., all data and metadata) is included and meaning of the original records are preserved.
- Define Procedures that describe the process for the disposal of electronically stored data. These procedures should provide guidance for the assessment of data and allocation of retention periods and describe the manner in which data that is no longer required is disposed of.
From NL42 consulting, we can help you setting the adequate set of policies. We review and audit your situation, provide risk assessment, supplier assessment and recommendations for remediation when needed.