DATA INTEGRITY RISK ASSESSMENT

Transcription

1 DATA INTEGRITY RISK ASSESSMENT 1 1

2 Main DI risks 2

3 Main DI failures Access to data systems are not matched by role or function to job description For example, The Owner who is the COO of the company has security access to the database server which can pose a potential data integrity issue. QC laboratory managers have been granted an additional administrative account which is a shared account with more rights as needed. Check who has system access within the company Personnel is not taken off the access list when leaving or changing jobs within the company 3

4 Risk communication Unacceptable ICH Q9 Initiate Quality risk management process Risk Assessment Risk Identification Risk Analysis Risk Evaluation Risk Control Risk Reduction Risk Acceptance Risk assessment tools Team approach Outcome The result of quality risk management process Risk Review Review Events 4 4

5 To Manage Data Integrity Risks; With regard to systems, which data and records are produced and maintained based on regulations, and in which phases signature (control) is added to these processes, analysis of the processes according to the relevant regulations, Evaluation of the impact of data and records on product quality and patient safety, Identification of the hazards to which data and records may be exposed, Determination of the controls to manage the identified risks and confirmation of the successful application of these controls, Monitoring the effectiveness of controls during operation. 5

6 Risk Management Methodology Identify (Define) Risk Review and re-evaluate risk List the impact, likelihood of occurance and method of detection Take actions to reduce risk Evaluate risk 6 6

7 1. Identify risks Data Record Control System 7 7

8 2. Evaluate the severity of risk impact Medium Risk High Risk Low risk Risk: Patient safety & Product quality 8 8

9 9

10 2. Evaluate the severity of risk impact Corruption or loss of records; Could it cause a wrong decision about the quality, safety and effectiveness of the product? Could it cause the deterioration of the quality of the product and the release of this deteriorated product? Could it cause the product to be licensed with incorrect information? Could it cause withdrawal of product, wrong decision about product quality and patient safety? Are records requested by the authorities and used to reach product quality and patient safety decisions? 10 10

11 2. Evaluate the severity of risk impact QA Release decision QC Tests 11 11

12 3. Evaluate risks In order to be able to use one of the risk management techniques introduced in ICH Q9 QRM the following are required, The severity of the impact, Likelihood of occurrence, The likelihood of finding the fault before the hazard occurs (Detectability) 12 12

13 13 13

14 4. Take actions to reduce risks Control strategies should be established to control risks and reduce them to acceptable levels; Modification of processes, Modification of systems, Adoption of behavioral controls, Determination of procedural controls, Determination of technical controls

15 Behavioral Controls Under the leadership of senior management; within the scope of Data Management System; Determining the data owners within the life cycle, Providing training on the importance of data integrity, Creating a transparent working environment where errors, negligence, atypical results, are visible, Avoiding providing incentives to falsify for the employees, Creating an effective quality culture, 15 15

16 Procedural Controls Company procedures guarantee that; Applications that will minimize data integrity risks are functioning, Risk management techniques are implemented according to ICH Q9, 3rd party risks are controlled, Observations on manually recorded data (2nd eye, synchronous control etc.) are performed, Arrangements that enable records to be accessed at the locations where the activities are held are made, Empty forms are controlled and there are reconcilliation procedures for empty form use, All empty forms are checked by quality units

17 Technical Controls Throughout the company the following is required, All GxP critical computerized systems must be validated for the intended use, Access controls based on authorization levels Data deletion, change, etc. prevented, Proper assignment of duties and responsibilities, The computerized systems are designed to take records at the instant when a critical stage is completed, All computerized systems are assured to have audit trail function 17 17

18 Technical Controls Audit trail function is verified, Routine review of audit trails, Data transfer or transfer of data from one system to another are validated without exception, The copies of the records must be in integrity in terms of accuracy, content and meaning, Effective operation of backup and recovery procedures, When cloud systems are used, the safety of the relevant system is guaranteed and the necessary quality agreements are available, The physical locations of the data are determined taking into account geographical location-specific laws and if third parties are used to store the data, the relevant contracts and agreements have been made

19 5. Review Risks When the system and processes are periodically reviewed, the previously identified risks should be addressed, Whether or not there are hazards that have not been identified before, Whether previously identified risks against which preventive measures have been taken, still exist, Whether previously identified risks are invalid should be investigated