WTO New version of QAS/19.819 "Guidelines for Data Integrity Sep 06

Recently, WHO released a new version of QAS/19.819 "Data Integrity Guide" (draft for comments). The new "Data Integrity Guide" contains the following chapters:

The guide is interpreted as follows:

Measures to mitigate data integrity risks include but are not limited to:

Develop and implement DI policies;

Establish and implement procedures to help comply with DI requirements and expectations;

Adopt a quality culture within the company to encourage employees to be transparent about failures, including reporting mechanisms;

Through Data Integrity Risk Assessment (DIRA) and implementing appropriate control measures, apply QRM to all risk areas of DI, thereby eliminating or reducing the risk to an acceptable level throughout the data life cycle;

Ensure that there are sufficient resources to monitor compliance with DI policies and procedures and promote continuous improvement;

Provide necessary training for personnel such as good practices, computerized systems and DI;

Implement and verify a computerized system suitable for its intended use;

Define and manage the appropriate roles and responsibilities of the quality agreement and contract concluded between the contract client and the contract trustee.

DIRA (Data Integrity Risk Assessment) should be carried out to identify and assess risks.

The principle of data integrity also applies to contract principals and contract trustees. The contract entrusting party is ultimately responsible for the integrity of the data provided to them by the contract entrusting party. Therefore, the contract entrusting party should ensure that the contract entrusting party abides by the principle of data integrity.

There should be a written DI policy.

The senior management is responsible for establishing and implementing an effective quality system and data governance system. This applies to paper and electronically generated data. The data governance system should include:

The importance of training DI principles;

Create an appropriate working environment; and

Actively encourage reporting of errors, omissions and adverse consequences.

The data governance program should include policies and procedures for handling data management. Elements of effective data governance should include:

Management supervision and commitment;

Use quality risk management

Good data management principles;

Quality measures and performance indicators;


Change management

Security and access control

Configuration control

Prevent pressure from business, politics, finance and other organizations;

Prevent incentive measures that may adversely affect the quality and integrity of the work;

Sufficient resources and systems;

Workloads and facilities to promote the right environment to support DI and effective control;


Record keeping


Understand the importance of DI, product quality and patient safety.

If defects in DI are found, appropriate corrective and preventive actions (CAPA) should be implemented in all related activities and systems, rather than implemented in isolation.

Changing from automated or computerized systems to paper-based manual records does not in itself eliminate the need for proper DI control, and vice versa.

Good records (paper and electronic) include but are not limited to:

Limit the ability to change the date and time of recorded events;

Use controlled documents and forms to record GXP data;

Control the issuance of blank paper templates;

Develop access and permissions to the automation system;

Activate audit trail

Use automatic data acquisition systems and printers connected to equipment and instruments in production and quality control as much as possible;

Ensure that the printer is close to the relevant event location;

Ensure that those responsible for reviewing and checking the data have access to the original electronic data.

Data and recording media should be durable. The ink should last for a long time. Thermal or photosensitive inks and other removable inks should not be used, or fadeable inks should be identified to ensure that the data can be traced during its life cycle.

Paper should not be temperature sensitive, photosensitive or easily oxidized. If it is unavoidable, a true copy or a certified copy should be provided.

The effectiveness of systems, procedures, and methods used to record and store data should be reviewed regularly, and systems, procedures, and methods related to new technologies should be updated when necessary.

A written data integrity risk assessment should be carried out. This should include the systems and processes used to generate the data, as well as the criticality and inherent risks of the data. Risk assessment should include computerized systems, auxiliary personnel, training and quality systems.

The guidelines emphasize the importance of management reviews for data integrity governance.

Compliance with DI policies and procedures should be reported at regular management review meetings.

The effectiveness of management review's control over data integrity should be measured based on quality metrics and performance indicators. This should include, for example:

Data tracking and trends;

DI error rate

Review audit trails, such as production, quality control, GLP, case reports and data processing;

Daily audits and/or self-examinations, including DI and computer systems; and

DI error rate of outsourced factories (contracted parties)

Regarding outsourcing activities, the written agreement should clearly state the activities and responsibilities of each party (contract client and contract trustee). Special care should be taken to ensure compliance with DI requirements.

During regular on-site audits, compliance with rules and responsibilities should be confirmed. This should include reviewing procedures and data (including raw data and metadata, paper records, electronic data, audit trails, and other relevant data) related to the product or service of the contracting party and the contracting party.

There should be a file system that defines the access and permissions of the computer system users.

A limited number of people (with no conflicts of interest in terms of data) should be appointed as system administrators. Certain permissions (such as data deletion, database modification, or system configuration changes) should not be assigned to administrators for no reason.

Data transmission should not result in any changes to the content or meaning of the data. The transmission should be tracked in the audit trail.

Data transmission should be verified.

If additional software or legacy systems are used (without audit trail), mitigation measures can be taken for the defined temporary period. This issue should be resolved within the prescribed timetable.

The backup and recovery process should be verified and regularly tested, including verification of data size, completeness and accuracy of data and metadata.

Data and metadata should be readable during the life cycle of the data. Risks include fading of microfilm records, reduced readability of coatings on optical media such as compact discs (CDs) and digital versatile/video discs (DVDs), and the fact that these media may become brittle. Similarly, due to deterioration, historical data stored on magnetic media will become unreadable over time. Data and records should be stored in an appropriate manner under appropriate conditions.

Learn more about Medical Stability Test Chamber.
Source: GMP Office

Contact Now

Contact Now