Issue link: https://www.e-digitaleditions.com/i/1483907
26 BioPharm International ® Manufacturing and Facilities 2022 eBook www.biopharminternational.com Audits And inspections rules and existing regulations in 21 Code of Federal Regulations (CFR) 211 for electronic systems (5). PIC/S Good Practices For Data Management And Integ- rity In Regulated GMP/GDP Environments—July 2021 (6)— gives an indication of the key elements to consider for an effective risk-based approach: "Data criticality (impact to decision making and product quality) and data risk (opportunity for data alteration and deletion, and likelihood of detection/visibility of changes by the manufacturer's routine review processes)." Therefore, regulatory expectations for audit trail review have become an established part of the GxP data lifecycle. Scope and intended use This article introduces a harmonized approach to per- forming a risk-based ATR developed by a working group of the International Consortium for Innovation and Quality in Pharmaceutical Development (IQ). It should be noted that the scope of this article in- cludes electronic instrument analytical data where raw data are stored in non-volatile memory (i.e., can be recalled later). Both enterprise and standalone data ac- quisition systems are in scope. Systems that do not generate data are out of scope. The following terms are defined (5): • technical control—computerized features like audit trail, backup mechanism, user management and security, electronic signatures and/or digital signatures to assist or enforce administrative and procedural controls • procedural control—standard operating proce- dures (SOPs) and work instructions for operation and administration, system user controls, com- puter system validation, calibration, network qual- ification, awareness training, etc. • system controls—combination of procedural and technical controls for a system. Risk-based approach Recent regulatory guidance such as those from FDA and MHRA emphasize the implementation of risk- based approaches to ensuring data integrity. The FDA guidance reminds us that, "CGMP regulations and guidance allow for f lexible and risk-based strategies to prevent and detect data integrity issues" (1). Similarly, the MHRA guidance describes "a risk- based approach to data management that includes data risk, criticality and lifecycle" (2). The concept of performing a data integrity risk as- sessment specific to a particular data acquisition and processing system is laid out in the MHRA guidance: "An example of a suitable approach is to perform a data integrity risk assessment (DIRA) where the pro- cesses that produce data or where data are obtained are mapped out and each of the formats and their con- trols are identified and the data criticality and inher- ent risks documented" (2). The data integrit y risk assessment is seen as a driver of compliance and prioritization of any neces- sary remediation activities. While audit trail review is often considered an essential part of ensuring data integrity, the same guidance clarifies that routine data review should include a documented audit trail review where this is determined by a risk assessment (emphasis added) (2). The appropriateness of any mitigation of a data in- tegrity risk should be assessed in the context of the criticality of the gap. MHRA defines critical risks as those that impact the potential of data or metadata "to be deleted, amended, or excluded without autho- rization." FDA states that, "Data integrity is critical throughout the CGMP data lifecycle, including in the creation, modification, processing, maintenance, ar- chival, retrieval, transmission, and disposition of data after the record's retention period ends" (1). It should be noted that archival and retrieval are out of scope for this paper on ATR. A decision t ree ha s been developed (Figure 1) where data types were categorized and the need for audit trail review considered. This ser ves as a risk assessment that can be used to determine the need for procedural controls, and the controls should be documented within the qualification package for new equipment or in change management system for equipment updates. A risk assessment, for instance the one described in Assessing Data Integrity Risks in an R&D Environment (7), may be used to define data integrity elements for a system where audit trail re- view is the chosen mitigation. Figure 1 is specific to ATR and does not include data review. For GLP, data review and ATR need to happen at the same time, for GMP there may be opportunity to separate and streamline some activities with a documented risk- based approach. Determining the need for and frequency of ATR Data risk. ATR should be considered for electronic GxP relevant data when a technical control does not remove the need to review the audit trail. A risk-based approach should be applied to ATR, and this general approach is described in Figure 2. Tools such as the risk filtering tool in International Council for Harmon- isation (ICH) Q9 (8) may be used. When possible, there is a preference to implement technical controls to reduce/eliminate the need for ATR. It is preferred to prevent an undesirable action from oc- curring if this is technically feasible. In cases where pre- vention is not possible, detection of the undesirable ac- tion through data review (including ATR) is required. In rare (limited) cases where an action may be neither pre- vented nor detected, discuss with additional business/