Data Integrity Checklist for Pharmaceutical Industry

This checklist is not complete nor is it the purpose of an audit to ask all possible questions or review all aspects of a topic. The purpose of this article is to serve as a tool for identifying potential data integrity issues. It is not a standard. This article is not all-inclusive and is meant to be used in addition to standards/guidelines that address GMP/quality assurance topics during audits of facilities supplying materials to the pharmaceutical industry.


Sr. No.

Checklist

Comments

YES

NO

1

Data Governance Policy

Is there one and are IT personnel familiar with its content Production, operations, QC lab personnel?

 

 

2

Is there a risk assessment for Data Governance of computerized systems

 

 

3

Does the risk assessment consider risks related to the IT department?

Does it consider risks related to outsourced IT operations?

 

 

4

Is there a list of authorized IT service providers?

 

 

5

Have IT service providers been audited?  Review the most recent audit report and see if CAPA’s have been addressed.  Did the audit address data integrity/governance?

 

 

6

Is there a quality agreement in place with the service provider – does it address data governance expectations / assign and define responsibilities between the service provider, the IT department and or individual users?

 

 

7

Does the service provider interact directly with users or is all communication through the IT department?

 

 

8

Have service providers been provided GMP and specifically data integrity training and are they familiar with the DI Governance Policy?

 

 

9

Are IT service providers permitted remote access to company computers?

If yes, is access with or without prior specific user, or manager, permission each entry to a user’s workspace or a computerized system serving a piece of production, laboratory or other GxP related activity/operation

 

 

10

How are changes performed by remote access managed?

Review some of the changes performed – is there a computerized audit trail for PROGRAMMING changes?

 

 

11

Is there a computerized systems policy

 

 

12

Does it require all computerized systems with GxP impact to be compliant with:

21 CFR part 11 (electronic records and electronic signatures)

Annex 11 of the EU GMPs

Other standards (define) ________________________________

 

 

13

Is there a controlled (up-to-date, version number, page #s) list of GxP impact computerized systems?

Does it describe:

What the system does, where it is installed (list of PCs on which it is installed and authorized users); current validated software version?

 

 

14

Are there any legacy systems that do not meet part 11 requirements for:

Unique user name/password for each entry with automatic LOGOFF.

  • How long after leaving the workstation does it log out?
  • Is there a data and time-stamped audit trail for each piece of software at the data collection level?
  • Is there a data and time-stamped audit trail for each piece of software at the programming level?
  • Is the audit trail enabled?

 

 

15

Are data collection audit trails reviewed?

At what frequency and by whom? Are they attached to the results reviewed by QP at release?

 

 




16

Ask an analyst to print out a data audit trail.  Do they know how to do that?  Review it on the computer – are the users identified by name or as User 1, 2, 3 or are they all just “User”

 

 

17

Does the audit trail explain in human-readable form, what change was made and why?  If it describes the change but not the reason – ask the analyst, separately their manager, and separately the QP who released the batch – what the reasons are.

In particular focus on deletions.

 

 

18

Are programming audit trails (changes to directories, file deletion, alteration, changes to metadata) reviewed?  At what frequency and by whom?  How is the review documented and to whom is the outcome reported?  Do findings appear in the CAPA system?

 

 

19

Are the user name and passwords program-specific or is a workstation accessed by entering a windows user name and password?

NOTE: if yes, probably all users are entering a single user name and if a workstation has several programs installed, access to those programs is not controlled once the workstation is open.

 

 

20

Who holds the administrator password and what privileges does it allow (e.g. is the laboratory manager able to delete files?)

Is there a policy describing what the administration is allowed to do and how it is documented?

 

 

21

How are changes to programming, servers, and IT infrastructure managed?  Is it by the company-wide change control program or an IT change control?  Is there QA / Quality Unit sign off

 

 

22

Check if drawing tools are disabled (might allow “whiting out” a “small” unwanted peak on a chromatogram and wouldn’t be seen on the printout

 

 

23

Are chromatograms sequential or are there numbers missing in the set?

 

 

24

Is there an SOP describing how the integration of chromatograms is performed?  Is auto-integrate the default?  If manual integration is performed is the auto-integration also attached?

 

 

25

Are the integration parameters and setup in general printed out before performing the analysis / as part of the report?

 

 

26

How and by whom is the system clock set?  Can it be changed to show an earlier time of processing data?

 

 

27

Is there a written policy regarding trial injections as part of system suitability? Does it forbid the use of test samples?  What is the policy for filing and reporting failing system suitability tests – before, during, and/or after testing?

 

 

28

Is data deletion possible and how is recorded in the audit trail?

 

 

29

Are memory sticks/thumb drives or other removable media allowed? Or is there a policy forbidding their use/drives sealed off / computers not fitted with USB ports?

 

 

30

Is there a written definition as to what constitutes raw data and how that is backed up?

 

 

31

What is the maximum time from QC results generation until review and approval / COA issuance?  Is this covered by an SOP?  Including stability testing results?

 

 

32

How are COAs generated? Is the template locked?  Can it be overwritten? Does it match the specifications?

 

 

33

Are excel files used for calculating QC results? Is there an SOP and are they validated and locked?

 

 

34

What provisions are in place (e.g. immediate signing and dating of printed copy with deletion of original data from template) to prevent changing data after calculation

 

 

35

Check a template – is there data stored in it and do the company overwrite previous data – a known source of error

 

 

36

Is there an IT Disaster Recovery Plan and does it address data governance?

 

 

37

Are there periodic efforts to restore electronic data back up from archives and documented checks of its integrity

 

 

38

Is there a procedure for retiring computerized systems/software which ensures that raw data is preserved and can be reused for calculation verification if required?  Over what period of time?

 

 




Sr. No.

Checklist

Comments

YES

NO

Attributable

 

Paper

 

 

1

Does your company maintain a signature log for employees that work in GxP areas?

 

 

2

Are staff trained in Good Documentation Practices outlining that GxP records must be initialled and dated?

 

 

3

Is the use of scribes prevalent in your company?

 

 

4

Are digital images of a person's handwritten signature permitted at your company?

 

 

 

Electronic

 

 

5

Does the system use unique user logins with electronic signatures?

 

 

6

Are there audit trials in place recording the identity of operators entering, changing, confirming or deleting data?

 

 

7

Does the system identify and record the person releasing or certifying the batches? Is an electronic signature used?

 

 

8

Are staff trained on the fundamentals of data integrity which emphasizes never to disclose their username or passwords with other staff?

 

 

Legible

 

Paper

 

 

1

Are controls in place to ensure data is recorded using permanent, indelible ink?

 

 

2

Is the use of correction fluid, pencils and erasures prohibited?

 

 

3

Is there controlled issuance of bound, paginated notebooks for GMP activities?

 

 

4

Are archiving of paper records performed by an independent, designated archivist?

 

 

5

Are operators trained to use single-line cross outs accompanied by an initial and date when recording changes to a record?

 

 

 

Electronic

 

 

6

Is your stored data checked periodically for readability?

 

 

7

Are audit trails convertible to a generally intelligible form?

 

 

8

Can general users switch off the audit trail?

 

 

9

Is archived data checked periodically for readability?

 

 

10

Is data backed up in a manner permitting the reconstruction of an activity?

 

 



Sr. No.

Checklist

Comments

YES

NO

Contemporaneous

 

Paper

 

 

1

Are staff trained in Good Documentation Practices emphasizing the importance of recording data entries at the time of activity?

 

 

2

Are staff trained in Good Documentation Practices emphasizing that it is improper to back date or forward date a record?

 

 

 

Electronic

 

 

3

Does your system automatically generate a timestamp when data is entered?

 

 

4

Do electronic signatures contain an automatically generated timestamp?

 

 

5

Are users able to change the timestamps applied to records?

 

 

6

Are general users able to gain access and change the system clock or time zone settings?

 

 

7

Is data saved to unauthorized storage locations such as USB sticks?

 

 

8

Are there sufficient availability of user terminals at the location where a GxP activity takes place?

 

 

Original

 

Paper

 

 

1

Are sticky notes or other unofficial notepads permitted in GMP areas of the facility?

 

 

2

Are qualification/validation activities performed on original pre-approved protocols?

 

 

3

Is there a controlled and secure area for archiving of records?

 

 

4

Are original records readily available for inspection?

 

 

 

Electronic

 

 

5

Is it possible to print out batch release records, showing any data that has been changed since the original entry?

 

 

6

Are your electronic signatures permanently linked to their respective record?

 

 

7

Does the person processing the data have the ability to influence what data is reported or how it is presented?

 

 

8

Does the system prevent the deletion of original data?

 

 

9

Is it possible to take screenshots and use snipping tools to manipulate data?

 

 

10

Is metadata periodically reviewed?

 

 




Sr. No.

Checklist

Comments

YES

NO

Accurate

 

Paper

 

 

1

Are forms, logbooks and notebooks formatted to easily allow for the entry of correct data?

 

 

2

Are procedures in place to independently review original paper records?

 

 

3

Are deviations and out-of-specification results investigated?

 

 

4

Are laboratory instruments calibrated and maintained?

 

 

5

Are secondary checks performed to check the accuracy of critical data?

 

 

6

Are staff pressured into meeting production targets, leading to compromised accuracy of records?

 

 

 

Electronic

 

 

7

Do interfaces contain built-in checks for the correct and secure entry and processing of data?

 

 

8

Does your system perform a check on the accuracy of critical data and configurations?

 

 

9

Are systems periodically reviewed?

 

 

10

Are interfaces validated to demonstrate security and no corruption of data?

 

 

11

Is archived data protected against unauthorized amendment?

 

 


Sr. No.

Checklist

Comments

YES

NO

Documentation

1.

Entries are legible and clear.

 

 

2.

Entries are performed on real time basis-no evidence of back dating.

 

 

3.

Corrections are made so that original entry is not obscured and signed by the doer; corrections are dated and justified adequately.

 

 

4.

Verify entries made by a single person for the signature (atleast 5).

 

 

5.

Page numbering is in sequence- no evidence of replacement/missing pages.

 

 

6.

Extra copies of pages in the BMR/Analytical Test report are issued and authorized by the Quality Assurance department and the same is reflected on the document as such.

 

 

7.

Log books (equipments: ware house, manufacturing, quality control/others: environmental monitoring, equipment usage & equipment maintenance) are up to date, recorded on time basis and with entries corresponding to the actual actions.

 

 

8.

The printout of the weighing balance is available for all the tests, involving weighing, conducted which directly or indirectly results into in-process material/batch release.

 

 

9.

All the chromatograms are available along with the Analytical Report

 

 

10.

The injection sequence timing is in line with standard/sample weighing and injection time?

 

 

11.

Verify Soft data against hard data for any change in data, unreported data or repeat testing.

 

 

12.

Verify media preparation and reconciliation and destruction record.

 

 

13.

Verify the Incubation record, and Autoclave logs and ensure if it is as per validated loads and media preparation.

 

 

14.

Compare Procedures against actual practices with reference to testing, sample handling, and recording of results.

 

 



Sr. No.

Checklist

Comments

YES

NO

Computer System

1.

PLCs used in the manufacturing, testing, or maintaining the critical process parameter are protected for passwords for individual users

 

 

2.

PLC has adequate control to prevent changes in process parameters eg: The display shows the parameters as per specification but the actual processing time has been changed in the PLC.

 

 

3.

Individual balances (used in product testing and release-making decisions):

  • Have to print out facility
  • The printout captures:
  1. Balance ID
  2. Date & Time

 

 

4.

The site has a defined policy for user rights:

  • Analyst
  • Reviewer
  • Administrator
  • Guest

 

 

5.

Is there a pre-defined procedure for the protection of data during maintenance (the Service Engineer has administrator rights)?

 

 

6.

The computer system is password protected; all the personnel has dedicated windows login and software login user name & password.

 

 

7.

The computer system has adequate measures to prevent the following:

  • Change of date & time
  • Cut, Copy, Paste, Rename & delete option (disabled through mouse and keyboard)

 

 

8.

Check Recycle bins for any files & folders related to analytical data

 

 

9.

Audit Trail:

Is enabled for all instruments having an associated computer system?

If not, a paper-based audit trail is maintained?

 

 

10.

Audit Trail review:

  • A system Audit trail is reviewed at a specified interval
  • Individual test audit trail is reviewed and is a part of the analytical report
  • Verify the Audit trail for one of the tests; the audit trail should capture the actual reason for change or edit

 

 

10.

Verify that adequate procedures are in place for System Suitability & Sample Analysis Check:          

 

 




Sr. No.

Checklist

Comments

YES

NO

1.

Is the computer validated for its intended use? 

You are looking for a set of requirements that define the following:

  • What functions do the systems perform – including alarm and error conditions
  • Security – What types of roles are in the system and what do the roles have access to
  • What are the critical data fields and records
  • How is the data backup

 

 

What functions does the computer perform?

 

 

1

Audit Trail:

  • Is enabled for all instruments having an associated computer system?
  • If not, paper-based audit trails are maintained?

 

 

2

Audit Trail review:

  • A system Audit trail is reviewed at a specified interval
  • An individual test audit trail is reviewed and is a part of the analytical report
  • Verify the Audit trail for one of the tests; the audit trail should capture the actual reason for change or edit or deletion and the date/time stamp of the event

 

 

3

The computer system has adequate measures to prevent the following:

  • Change of date & time
  • Cut, Copy, Paste, Rename & delete option (disabled through mouse and keyboard) Inactivity time out

 

 

4

Verify the date/time on the computer is correct

 

 

SECURITY

 

 

1

For Instruments - The computer system is password protected; all the personnel have dedicated windows login and software login user name & password?

 

 

2

PLCs- used in the manufacturing, testing or maintaining the system - Are there unique individual user accounts and each for an individual user

 

 

3

Are critical process parameter changes performed by someone other than user and/or supervisors?

 

 

4

Do sops exist on the approval and removal of roles/users?

 

 

5

Are access reviews periodically performed and documented

 

 

6

Is there a pre-defined procedure for the protection of data during the maintenance (Service Engineer have administrator rights)?

 

 

What are the critical data fields and records?

 

 

1

Are the critical data fields defined in the requirements document

How are changes to these data fields done?  By who and are audit trails reviewed for the changes.

 

 

2

PLC has adequate control to prevent changes in process parameters eg: The display shows the parameters as per specification but actual processing time has been changed in the PLC

 

 

3

Individual balances (used in product testing and release making decision):

Have print out facility

The print out captures:

Balance id

Date & Time

 

 

How is the data backed up?

 

 

1

Do SOPs exist on how data is backed up that includes how often and what happens if a failed backup occurs

 

 

2

Has the backup of data been tested?  What files are backed up? Does it include the metadata

 

 

3

Has a restore of the backup been verified and how often does this happen? Is it defined in an SOP?

 

 

4

Check Recycle bins for any files & folders related to analytical data

 

 



NOTES:
  • When looking at security features ensure that the critical parameter changes are not performed by the person who approves or owns the data.
  • When approving the data does the supervisor review the audit trail
  • Control for accounts that can change critical parameters
  1. Password expiration required
  2. Account management required
  3. Maintain a list of users with access to the password
  4. Logout functionality (automatic Logoff or SOP enforcement)

There are two different types of audit trials that need to be considered:

System Configuration Audit Trail
  • Tracks actions of System Administrator
  • Tracks changes to “rules” for operating the system
  • These types of audit trails should be reviewed as part of the system periodic review process.

Data Audit Trail
  • Tracks actions of Users, Reviewers, Approvers
  • Tracks changes to data
  • These types of data audit trails shall be reviewed every time the data is being reviewed. Review needs to include data + meaningful metadata

Post a Comment

Previous Post Next Post