Summary of Significant Changes. Policy

Transcription

1 This Policy replaces POL251/1 Copy Number Effective 03/04/17 Summary of Significant Changes Addition of requirements of 2016 review of Guidance by MHRA, ALCOA+, and documents related to Policy The purpose of this policy is to set out the requirements NHSBT is expected to meet to ensure the Integrity of its Data, throughout the entire lifecycle. This includes compliance to the requirements of eugmp Chapter 4 on Documentation and Annex 11 for Computerised Systems and links to POL265 Records and Information Lifecycle Management. Definition: Data integrity is "the extent to which all data are complete, consistent and accurate throughout the data life cycle" (MHRA GMP Definitions & Guidance for Industry March 2015). This applies to data held in a paper or electronic format, or in systems that are a hybrid of these. Risk Management A risk-based approach is incorporated into all activities related to GMP, including data integrity for paper-based and computerised systems. This includes the approach to procuring systems, the software development lifecycle (SDLC), and associated procedures such as the creation of user requirements for software and applications. The risk analysis and management process for computerised systems, data integrity, or the management of records does not differ from the corporate policy on risk analysis and management. Systems development work and record-keeping at NHSBT is expected to comply with these procedures, regardless of GxP impact to ensure that patient safety, data integrity, and product quality is considered. However, the degree of effort and level of resource applied to systems control, including validation, should be commensurate with the criticality of the system and the inherent risks of the system e.g. manual vs. electronic recording, the degree to which data can be manipulated by users, etc. Requirements Data integrity is a fundamental part of the Quality Management System (QMS) to ensure product quality. Data integrity requirements apply to paper records and electronic data throughout the product life cycle: Raw data capture/initial generation Manufacture (process specifications, parameters and documentation) Processing (transformation/migration) Use (product traceability, haemovigilance, pharmacovigilance) Retention Archiving Retrieval Author(s): Angille Heintzman Page 1 of 6

2 The risk to data integrity can vary depending on the data or how the system generating the data can be configured. The complexity of the computerised system and the ongoing risk to data integrity should be risk-based and reviewed periodically (including legacy systems). Author(s): Angille Heintzman Page 2 of 6

3 Systems used by NHSBT should be designed in a way which encourages compliance with the principles of data integrity. General aspects to be considered: At least 2 years of data is retrievable in a timely manner for the purposes of regulatory inspection The primary record has primacy, i.e. where the same information is recorded concurrently by more than one system the data owner must define which system generates and retains the primary record User access rights which prevent data amendments (or audit trail available for creation/modification/deletion of data). Access to raw data for staff performing data checking activities. and the following considerations (following the acronym ALCOA+): Considerations Attributable Legible/Permanent Contemporaneous Original Accurate Complete Consistent Enduring Available Who acquired the data or performed an action and when Can the data recorded be read (and understood, including audit trail entries and throughout the entire data lifecycle, which may be 30 years+)? Can the record be accessed for review, audit or inspection over the lifetime of the record? Recorded on controlled paper or electronic media Are data and activities recorded in a timely manner? Is the electronic system clock synchronised? All elements of the recorded sequence of events follow on and are date or time stamped in the expected sequence Written documents, original printouts, or certified copies; documented backup of whole record. Does the metadata permit reconstruction? All data is present none omitted or destroyed No evidence of errors or editing without documented amendments All data is presented or available, without omission, i.e. includes failed tests, repeat/re-analysed samples Consistent generation of records and application of date and time stamps Data are not easily deleted or discarded, stored in controlled areas Data needs to be available and accessible for review, audit or inspection over the lifetime of the record FRM5678 Checklist is used to record compliance with the above principles, and any gaps to be documented on FRM5682 Action Plan. Validation There are documented procedures for the validation and qualification of systems and processes for both manual and electronic processes using a risk-based approach. Change control records are raised where applicable to manage sign-off from Quality, operational stakeholders, and other stakeholders such as ICT, to confirm readiness for new equipment, project implementations or regular technology application releases. Incidents are logged during the validation process using project-specific issues logs or through the Service Desk when supplier responses are required. The QMS adverse event system is used when the incidents or deviations are encountered on the live system and for data integrity incidents. Author(s): Angille Heintzman Page 3 of 6

4 Audit trails If the computerised system is configured for GxP compliance, then the audit trail and metadata must be backed up. A specification of which files are backed up should be defined and validated/reviewed periodically. Audit trails to computerised systems may only be available to system administrators of the computerised system, although some systems may include access via front-end user interfaces. Audit trails should be validated, including those that include paper records, and demonstrate that key information is recorded that cannot be manipulated without following documented processes. Access Control All individuals should have unique logins to access electronic systems. All user accounts should be created following documented processes, and requested changes to user accounts should be captured in the Service Desk management tool or Quality Management system. There should be a clear hierarchy of access levels for each system. These should be defined, validated and reviewed to ensure that staff only have appropriate access specific to their role. These should be periodically reviewed. Computerised systems should enforce password controls in line with security policies. System Administrators have an independent role, and where this is not possible, they should have dual accounts to differentiate what is performed as a system administrator and what is performed as a standard user. System administrator access should be restricted to the minimum of people possible, taking into account how broadly the system is used across the organisation, and considering the principle of least privilege. All requests to delete data or to make configuration changes are captured in the Service Desk management tool or Quality Management system. All configuration changes to computerised systems are made using the documented procedure. Data Migration Data migration testing is carried out when data are transferred from one format or system to another. Where large volumes of data are affected, checks for data integrity are carried out using a risk-based sampling approach detailed in: Nightingale, M. (2011) Validating Data Migrated onto Information Technology (IT) Systems. Pharmaceutical Engineering July/August 2011: pp 1-7. Data Storage NHSBT complies with legal requirements to retain records in a readable format for up to 30 years. Retention length depends on record type as defined in SPN189, NHSBT Record Storage. National computerised systems are hosted at resilient datacentres to protect against physical or electronic damage. Backups are undertaken on a daily incremental basis and on a monthly full basis. A rolling 13 months worth of backups are available. Restore from backup is checked on an annual basis. Computerised systems hosted locally should be backed up daily in full. A robust paper archive system must be in place, which protects the integrity of paper records throughout their entire lifecycle, and allows these to be easily retrieved. Electronic Signatures The systems comply with the Annex 11 s requirements to be permanently linked to the record with time and date recorded. Author(s): Angille Heintzman Page 4 of 6

5 Batch Release Currently only tissue batches are released by Quality Assurance personnel. Only designated QA personnel have access to remove the relevant data holds on products once all documentation has been reviewed and found to be satisfactory for the tissue product s intended use. The removal of the holds identifies the QA personnel at the date and time removed, constituting an electronic signature. Business Continuity Pulse and Hematos resilience is ensured by having back up servers on different sites that are designed to fail over without interruption to service. A standby issue system is in place in case of complete loss of Pulse functionality and other mitigations are detailed in business continuity plans. The systems are challenged when they are taken off-line during regular upgrades. Departments using computerised systems have individual business continuity plans. Data Review A review of Paper and Electronic source data should be periodically undertaken on a risk management basis during self-inspection. Suppliers and Service Providers Third party agreements are in place detailing responsibilities of both NHSBT and the supplier. Audits of third party providers are undertaken based on risk assessment within the supplier review and management system maintained by Quality Assurance. The competence of suppliers to meet NHSBT s stated requirements is assessed at contract tender stage. Where commercial off-the-shelf (COTS) software is used, supplier documentation will be assessed against requirements. Documentation relating to suppliers, including audit reports, will be available to inspectors when requested. All audit documentation is retained in Q-Pulse. Personnel All NHSBT personnel are expected to comply with data integrity requirements for paper and electronic records, and must complete mandatory training in and task-based Good Documentation Practice training. For systems development, co-operation between relevant personnel takes place via national meetings, for specific application groups as well as specific system-impacting projects who feed requirements into the aforementioned groups. There are also a number of dedicated national teams that work together to support computerised systems, including: Application Deployment and Support IT Service Management, including Implementation and Application Managers QA Technology Assurance Blood Supply IT Systems Development Team Specialist Services IT Systems Team Appropriate qualifications are assessed on appointment using person specifications and job descriptions. Ongoing training needs assessments are carried out through the PDPR process. Author(s): Angille Heintzman Page 5 of 6

6 Use of Scribes The use of scribes to record activity on behalf of another operator should be considered exceptional and only take place where: The act of recording places the product or activity at risk To accommodate cultural or staff literacy/language limitations, for instance where an activity is performed by an operator, but witnessed and recorded by a supervisor or officer. In both situations, the supervisory recording must be contemporaneous with the task being performed and must identify both the person performing the observed task and the person completing the record. The person performing the observed task should countersign the record wherever possible, although it is accepted that this countersigning step will be retrospective. The process for supervisory (scribe) documentation completion should be described in an approved procedure, which should also specify the activities to which the process applies. Author(s): Angille Heintzman Page 6 of 6