Nature Of Change | Change Details |
| Principles, Criticality, Risk, And System Design |
Deletion | Figure 1 in the 2015 version, showing the spectrum of simple to complex computerized systems, has been removed. The text in section 4.3 of the 2018 version provides a narrative version of the 2015 Figure 1. The 2016 draft guidance included the figure; it was removed as an outcome of the consultation process. |
Addition | The scope of the 2015 guidance was limited to GMP; the scope of the 2018 version includes GCP, GLP, and GMP for pharmaceuticals and excludes consideration of devices. Reference is made to the introduction section of the guidance. The introduction section is largely new in this revision. |
Addition | The Principles of Data Integrity section introduces the acronym DIRA (data integrity risk assessment). Many of the 10 principles consolidated in this section reflect requirements that were found throughout the earlier document but consolidated in the 2018 version. |
Revision | The 2015 version included a section titled Establishing Data Criticality and Inherent Integrity Risk that is substantially expanded with new text and detail. Additional detail is provided in examples. |
Revision | Section 5.0, titled Designing Systems and Processes in the 2018 version, has also been substantially expanded. It addresses a GLP example where scribes record activities, such as for necropsies. |
Revision | The format is revised from a tabulation format that included terms, definitions, and expectations/guidance (where relevant) in 2015 to a non-tabulated narrative format in 2018. |
| Definitions And Interpretations |
Deletion | The revised definition of raw data in section 6.2 does not include the potential for the use of “true copies.” |
Deletion | The definition of lifecycle (section 6.6) has been revised and omits the previously specified duration of archival arrangements and retrievability of data for inspection. |
Deletion | The concept of a primary record has been removed. This removes confusion and perhaps bad practices the 2015 version may have appeared to support. |
Addition | The revised definition of raw data in section 6.2 now includes source data as defined in the ICH GCP guidance. It also provides additional detail on simple electronic instruments that may store electronic data, such as pH meters or balances. Guidance is provided on how firms should manage situations where electronic data is retained. |
Addition | Section 6.5 on data governance now includes requirements to ensure this is included in quality agreements and that data is “directly accessible on request from national competent authorities.” |
Addition | Section 6.7 on Recording and Collection of Data is new. |
Addition | Section 6.8 on data transfer/migration is new. Data transfer processes should be validated. This section also addresses the requirements for use of electronic worksheets, which I interpret to be spreadsheets such as Excel. |
Addition | Section 6.9 on Data Processing is new and requires traceability of “user defined parameters” and addresses expectations for activities such as re-integration of chromatography data to ensure it is not being “manipulated to achieve a more desirable result.” |
Addition | The 2018 revision adds section 6.10 on Excluding Data. For data that is excluded, the justification for doing so should be documented, and all data should be retained and available for review. This section does not apply to GPvP, as this is covered by pharmacovigilance legislation. |
Addition | The 2018 version adds section 6.14 addressing electronic signatures. It references the MHRA/HRA draft guidance on the use of electronic informed consent for the GCP area. |
Addition | Section 6.20 on IT Suppliers and Service Providers is an important and welcome addition and addresses software as a service, platforms as a service, and infrastructure as a service. |
Addition | The glossary adds new terms and their definitions including: eCRF, ECG, data quality, DIRA, data cleaning, directly accessible, and advanced electronic signatures. |
Revision | The definition of data (section 6.1) has been revised to be more detailed than simply “information derived or obtained from raw data” and includes the “+” attributes of “ALCOA +,” though it does not use this term. Data is to be complete, consistent, enduring, and available in addition to meeting the ALCOA attributes. |
Revision | The revised definition of data integrity (section 6.4) includes the requirement to incorporate risk management: “quality and risk management systems including adherence to sound scientific principles and good documentation practices.” The definition is substantially expanded from the one-sentence version in the 2015 draft guidance. |
Revision | The section on original record/true copy is now divided into two sections (6.11.1, titled “Original Record,” and 6.11.2, titled “True Copy”). Original Record: This section is revised to address GCP examples, such as medical imaging results. It also is expanded to include examples where manual observations such as manual titrations and visual interpretations may need to be supported by second person verification. True Copy: This section has been revised to state that true copies may be stored in a different electronic format than the original under specific circumstances. This section also states that when relying on “true copies,” the firm should consider risks that may be associated with the destruction of the original records. It also provides specific information on what should be verified to ensure a “true copy” includes adequate content. The new version also addresses how to accommodate situations where computer systems are no longer supported. |
Revision | The section on Computerised System Transactions (section 6.12) now specifies that the time interval before saving data should be minimized for situations where multiple operations are combined into a single transaction. A paragraph is now included that addresses factors in this area that should be considered during system design. The two figures in the 2015 version are not included in the 2018 document. For those who aren’t IT experts, the figures provided added value. |
Revision And Deletion | The definition of audit trail has been substantially expanded in section 6.13. Further, some of the explanation is expanded and states that when the system administrator amends or turns off the audit trail, that action should be recorded and retained. The 2015 version states that systems should have audit trails and unique login capability by the end of 2017. The 2018 version removes a specific date for meeting this requirement but does not remove the requirement. The 2018 version states: “Where relevant audit trail functionality does not exist (e.g. within legacy systems) an alternative control may be achieved for example defining the process in an SOP and use of log books. Alternative controls should be proven effective. Where add-on software or a compliant system does not currently exist, continued use of the legacy system may be justified by documented evidence that a compliant solution is being sought and that mitigation measures temporarily support the continued use.1 1 It is expected that GMP facilities with industrial automation and control equipment/systems such as programmable logic controllers should be able to demonstrate working towards system upgrades with individual login and audit trails (reference: Article 23 of Directive 2001/83/EC).” The 2018 version addresses audit trail review and states that these may be reviewed as a list of relevant data or by an exception reporting process. This guidance defines the content of an exception report and states it is a “validated search tool.” Further, reviewers must have “sufficient knowledge and system access to review relevant audit trails, raw data and meta data.” MHRA also states they may identify a deficiency when systems that do not meet audit trail or individual user account expectations do not have remediation identified or subsequently implemented. |
Revision | Data Review and Approval, described in section 6.15, is expanded. The revision states, “Data review should be documented and the record should include a positive statement regarding whether issues were found or not, the date that review was performed and the signature of the reviewer.” As part of gap assessments, firms should consider how they address the requirement for a “positive statement” regarding the data review. This section also addresses features of data review when a different organization generated the data, e.g., contract laboratories or contract manufacturers. In my opinion, this is an important addition. |
Revision | Section 6.16 addressing computerized system user access/system administrator roles is revised to 1) address login at the operating system and application levels, 2) address MRP systems that may have non-GXP components, and 3) revise access rights depending on clinical trial status for GCP documentation. |
Revision | Section 6.17 on Data Retention adds the term “validated” to describe the scanning process for paper records. The 2018 version does not address the circumstances where data is retained by a third party. |
Revision | Sections 6.17.1 and 6.17.2 on archive and backup, respectively, have been substantially expanded. The archive section specifically addresses how to manage legacy systems. |
Revision | Section 6.18 on file structure has been simplified and shortened. Details of flat files versus relational database structure have been eliminated. |