Sr. No. |
Checklist |
Comments |
|
YES |
NO |
||
1 |
Data Governance Policy Is there one and are IT personnel familiar with its content Production, operations, QC lab personnel? |
|
|
2 |
Is there a risk assessment for
Data Governance of computerized systems |
|
|
3 |
Does the risk assessment consider
risks related to the IT department? Does it consider risks related to
outsourced IT operations? |
|
|
4 |
Is there a list of authorized IT
service providers? |
|
|
5 |
Have IT service providers been
audited? Review the most recent audit
report and see if CAPA’s have been addressed.
Did the audit address data integrity/governance? |
|
|
6 |
Is there a quality agreement in
place with the service provider – does it address data governance
expectations / assign and define responsibilities between the service
provider, the IT department and or individual users? |
|
|
7 |
Does the service provider interact
directly with users or is all communication through the IT department? |
|
|
8 |
Have service providers been
provided GMP and specifically data integrity training and are they familiar
with the DI Governance Policy? |
|
|
9 |
Are IT service providers permitted
remote access to company computers? If yes, is access with or without
prior specific user, or manager, permission each entry to a user’s workspace
or a computerized system serving a piece of production, laboratory or other
GxP related activity/operation |
|
|
10 |
How are changes performed by
remote access managed? Review some of the changes
performed – is there a computerized audit trail for PROGRAMMING changes? |
|
|
11 |
Is there a computerized systems
policy |
|
|
12 |
Does it require all computerized
systems with GxP impact to be compliant with: 21 CFR part 11 (electronic records
and electronic signatures) Annex 11 of the EU GMPs Other standards (define)
________________________________ |
|
|
13 |
Is there a controlled (up-to-date,
version number, page #s) list of GxP impact computerized systems? Does it describe: What the system does, where it is
installed (list of PCs on which it is installed and authorized users);
current validated software version? |
|
|
14 |
Are there any legacy systems that
do not meet part 11 requirements for: Unique user name/password for
each entry with automatic LOGOFF.
|
|
|
15 |
Are data collection audit trails
reviewed? At what frequency and by whom? Are
they attached to the results reviewed by QP at release? |
|
|
16 |
Ask an analyst to print out a data
audit trail. Do they know how to do
that? Review it on the computer – are
the users identified by name or as User 1, 2, 3 or are they all just “User” |
|
|
17 |
Does the audit trail explain in
human-readable form, what change was made and why? If it describes the change but not the
reason – ask the analyst, separately their manager, and separately the QP who
released the batch – what the reasons are. In particular focus on deletions. |
|
|
18 |
Are programming audit trails
(changes to directories, file deletion, alteration, changes to metadata)
reviewed? At what frequency and by
whom? How is the review documented and
to whom is the outcome reported? Do
findings appear in the CAPA system? |
|
|
19 |
Are the user name and passwords
program-specific or is a workstation accessed by entering a windows user name
and password? NOTE: if yes, probably all users
are entering a single user name and if a workstation has several programs
installed, access to those programs is not controlled once the workstation is
open. |
|
|
20 |
Who holds the administrator
password and what privileges does it allow (e.g. is the laboratory manager
able to delete files?) Is there a policy describing what
the administration is allowed to do and how it is documented? |
|
|
21 |
How are changes to programming,
servers, and IT infrastructure managed?
Is it by the company-wide change control program or an IT change
control? Is there QA / Quality Unit
sign off |
|
|
22 |
Check if drawing tools are disabled
(might allow “whiting out” a “small” unwanted peak on a chromatogram and
wouldn’t be seen on the printout |
|
|
23 |
Are chromatograms sequential or
are there numbers missing in the set? |
|
|
24 |
Is there an SOP describing how the integration of chromatograms is performed?
Is auto-integrate the default?
If manual integration is performed is the auto-integration also
attached? |
|
|
25 |
Are the integration parameters and
setup in general printed out before performing the analysis / as part of the
report? |
|
|
26 |
How and by whom is the system
clock set? Can it be changed to show
an earlier time of processing data? |
|
|
27 |
Is there a written policy
regarding trial injections as part of system suitability? Does it forbid the
use of test samples? What is the
policy for filing and reporting failing system suitability tests – before,
during, and/or after testing? |
|
|
28 |
Is data deletion possible and how
is recorded in the audit trail? |
|
|
29 |
Are memory sticks/thumb drives
or other removable media allowed? Or is there a policy forbidding their use/drives sealed off / computers not fitted with USB ports? |
|
|
30 |
Is there a written definition as
to what constitutes raw data and how that is backed up? |
|
|
31 |
What is the maximum time from QC
results generation until review and approval / COA issuance? Is this covered by an SOP? Including stability testing results? |
|
|
32 |
How are COAs generated? Is the
template locked? Can it be
overwritten? Does it match the specifications? |
|
|
33 |
Are excel files used for
calculating QC results? Is there an SOP and are they validated and locked? |
|
|
34 |
What provisions are in place (e.g.
immediate signing and dating of printed copy with deletion of original data
from template) to prevent changing data after calculation |
|
|
35 |
Check a template – is there data
stored in it and do the company overwrite previous data – a known source of
error |
|
|
36 |
Is there an IT Disaster Recovery
Plan and does it address data governance? |
|
|
37 |
Are there periodic efforts to
restore electronic data back up from archives and documented checks of its
integrity |
|
|
38 |
Is there a procedure for retiring
computerized systems/software which ensures that raw data is preserved and
can be reused for calculation verification if required? Over what period of time? |
|
|
Sr. No. |
Checklist |
Comments |
|
YES |
NO |
||
Attributable |
|||
|
Paper |
|
|
1 |
Does your company maintain a
signature log for employees that work in GxP areas? |
|
|
2 |
Are staff trained in Good
Documentation Practices outlining that GxP records must be initialled and
dated? |
|
|
3 |
Is the use of scribes prevalent in your company? |
|
|
4 |
Are digital images of a person's
handwritten signature permitted at your company? |
|
|
|
Electronic |
|
|
5 |
Does the system use unique user logins with electronic signatures? |
|
|
6 |
Are there audit trials in place
recording the identity of operators entering, changing, confirming or
deleting data? |
|
|
7 |
Does the system identify and
record the person releasing or certifying the batches? Is an electronic
signature used? |
|
|
8 |
Are staff trained on the
fundamentals of data integrity which emphasizes never to disclose their
username or passwords with other staff? |
|
|
Legible |
|||
|
Paper |
|
|
1 |
Are controls in place to ensure
data is recorded using permanent, indelible ink? |
|
|
2 |
Is the use of correction fluid,
pencils and erasures
prohibited? |
|
|
3 |
Is there controlled issuance of
bound, paginated notebooks for GMP activities? |
|
|
4 |
Are archiving of paper records
performed by an independent, designated archivist? |
|
|
5 |
Are operators trained to use
single-line cross outs accompanied by an initial and date when recording
changes to a record? |
|
|
|
Electronic |
|
|
6 |
Is your stored data checked periodically for readability? |
|
|
7 |
Are audit trails convertible to a generally intelligible form? |
|
|
8 |
Can general users switch
off the audit trail? |
|
|
9 |
Is archived data checked
periodically for readability? |
|
|
10 |
Is data backed up in a manner
permitting reconstruction of an activity? |
|
|
Sr. No. |
Checklist |
Comments |
|
YES |
NO |
||
Contemporaneous |
|||
|
Paper |
|
|
1 |
Are staff trained in Good
Documentation Practices emphasizing the importance of recording data entries
at the time of activity? |
|
|
2 |
Are staff trained in Good
Documentation Practices emphasizing that it
is improper to back date or forward date a record? |
|
|
|
Electronic |
|
|
3 |
Does your system automatically
generate a timestamp when data is entered? |
|
|
4 |
Do electronic signatures contain
an automatically generated timestamp? |
|
|
5 |
Are users able to change the timestamps applied
to records? |
|
|
6 |
Are general users able to gain
access and change the system clock or time zone settings? |
|
|
7 |
Is data saved to unauthorized storage
locations such as USB sticks? |
|
|
8 |
Are there sufficient availability
of user terminals at the location where a GxP activity takes place? |
|
|
Original |
|||
|
Paper |
|
|
1 |
Are sticky notes or other
unofficial notepads permitted in GMP areas of the facility? |
|
|
2 |
Are qualification/validation
activities performed on original pre-approved protocols? |
|
|
3 |
Is there a controlled and secure area for archiving of records? |
|
|
4 |
Are original records readily
available for inspection? |
|
|
|
Electronic |
|
|
5 |
Is it possible to print out batch
release records, showing any data that has been changed since the original
entry? |
|
|
6 |
Are your electronic signatures
permanently linked to their respective record? |
|
|
7 |
Does the person processing the
data have the ability to influence what data is reported or how it is
presented? |
|
|
8 |
Does the system prevent the deletion of original
data? |
|
|
9 |
Is it possible to take screenshots
and use snipping tools to manipulate data? |
|
|
10 |
Is metadata periodically reviewed? |
|
|
Sr. No. |
Checklist |
Comments |
|
YES |
NO |
||
Accurate |
|||
|
Paper |
|
|
1 |
Are forms, logbooks and notebooks
formatted to easily allow for the entry of correct data? |
|
|
2 |
Are procedures in place to
independently review original paper records? |
|
|
3 |
Are deviations and out-of-specification results
investigated? |
|
|
4 |
Are laboratory instruments calibrated and maintained? |
|
|
5 |
Are secondary checks performed to
check the accuracy of critical data? |
|
|
6 |
Are staff pressured into meeting
production targets, leading to compromised accuracy of records? |
|
|
|
Electronic |
|
|
7 |
Do interfaces contain built-in
checks for the correct and secure entry and processing of data? |
|
|
8 |
Does your system perform a check
on the accuracy of critical data and configurations? |
|
|
9 |
Are systems periodically reviewed? |
|
|
10 |
Are interfaces validated to
demonstrate security and no corruption of data? |
|
|
11 |
Is archived data protected against the unauthorized amendment? |
|
|
Sr. No. |
Checklist |
Comments |
|
YES |
NO |
||
Documentation |
|||
1. |
Entries are legible and clear. |
|
|
2. |
Entries are performed on real time
basis-no evidence of back dating. |
|
|
3. |
Corrections are made so that
original entry is not obscured and signed by the doer; corrections are dated
and justified adequately. |
|
|
4. |
Verify entries made by a single
person for the signature (atleast 5). |
|
|
5. |
Page numbering is in sequence- no
evidence of replacement/missing pages. |
|
|
6. |
Extra copies of pages in the BMR/Analytical
Test report are issued and authorized by the Quality Assurance department and
the same is reflected on the document as such. |
|
|
7. |
Log books (equipments: ware house,
manufacturing, quality control/others: environmental monitoring, equipment
usage & equipment maintenance) are up to date, recorded on time basis and
with entries corresponding to the actual actions. |
|
|
8. |
The printout of the weighing
balance is available for all the tests, involving weighing, conducted which directly
or indirectly results into in-process material/batch release. |
|
|
9. |
All the chromatograms are
available along with the Analytical Report |
|
|
10. |
The injection sequence timing is
in line with standard/sample weighing and injection time? |
|
|
11. |
Verify Soft data against hard data
for any change in data, unreported data or repeat testing. |
|
|
12. |
Verify media
preparation and reconciliation and destruction record. |
|
|
13. |
Verify the Incubation
record, and Autoclave logs and ensure if it is as per validated loads and media
preparation. |
|
|
14. |
Compare
Procedures against actual practices with reference to testing, sample
handling, and recording of results. |
|
|
Sr. No. |
Checklist |
Comments |
|
YES |
NO |
||
Computer System |
|||
1. |
PLCs used in the manufacturing,
testing, or maintaining the critical process parameter are protected for
passwords for individual users |
|
|
2. |
PLC has adequate control to
prevent changes in process parameters eg: The display shows the parameters as
per specification but the actual processing time has been changed in the PLC. |
|
|
3. |
Individual
balances (used in product testing and release-making decisions):
|
|
|
4. |
The site has a defined policy for user rights:
|
|
|
5. |
Is there a pre-defined procedure
for the protection of data during maintenance (the Service Engineer has
administrator rights)? |
|
|
6. |
The computer system is password
protected; all the personnel has dedicated windows login and software login user name & password. |
|
|
7. |
The
computer system has adequate measures to prevent the following:
|
|
|
8. |
Check Recycle bins for any files
& folders related to analytical data |
|
|
9. |
Audit
Trail: Is
enabled for all instruments having an associated computer system? If not, a paper-based audit trail is
maintained? |
|
|
10. |
Audit
Trail review:
|
|
|
10. |
Verify that adequate procedures
are in place for System Suitability & Sample Analysis Check: |
|
|
Sr. No. |
Checklist |
Comments |
|
YES |
NO |
||
1. |
Is the computer validated for its
intended use? You are looking for a set of
requirements that define the following:
|
|
|
What
functions does the computer perform? |
|
|
|
1 |
Audit Trail:
|
|
|
2 |
Audit Trail review:
|
|
|
3 |
The computer system has adequate
measures to prevent the following:
|
|
|
4 |
Verify the date/time on the
computer is correct |
|
|
SECURITY
|
|
|
|
1 |
For Instruments - The computer
system is password protected; all the personnel have dedicated windows login
and software login user name & password? |
|
|
2 |
PLCs- used in the manufacturing,
testing or maintaining the system - Are there unique individual user accounts
and each for an individual user |
|
|
3 |
Are critical process parameter
changes performed by someone other than user and/or supervisors? |
|
|
4 |
Do sops exist on the approval and
removal of roles/users? |
|
|
5 |
Are access reviews periodically
performed and documented |
|
|
6 |
Is there a pre-defined procedure for the protection of data during the maintenance (Service Engineer have administrator rights)? |
|
|
What
are the critical data fields and records? |
|
|
|
1 |
Are the critical data fields
defined in the requirements document How are changes to these data
fields done? By who and are audit
trails reviewed for the changes
|
|
|
2 |
PLC has adequate control to
prevent changes in process parameters eg: The display shows the parameters as
per specification but actual processing time has been changed in the PLC |
|
|
3 |
Individual balances (used in
product testing and release making decision): Have print out facility The print out captures: Balance id Date & Time |
|
|
How
is the data backed up? |
|
|
|
1 |
Do SOPs exist on how data is
backed up that includes how often and what happens if a failed backup occurs |
|
|
2 |
Has the backup of data been
tested? What files are backed up? Does
it include the metadata |
|
|
3 |
Has a restore of the backup been
verified and how often does this happen? Is it defined in an SOP? |
|
|
4 |
Check Recycle bins for any files
& folders related to analytical data |
|
|
- When looking at security features ensure that the critical parameter changes are not performed by the person who approves or owns the data.
- When approving the data does the supervisor review the audit trail
- Control for accounts that can change critical parameters
- Password expiration required
- Account management required
- Maintain a list of users with access to the password
- Logout functionality (automatic Logoff or SOP enforcement)
- Tracks actions of System Administrator
- Tracks changes to “rules” for operating the system
- These types of audit trails should be reviewed as part of the system periodic review process.
- Tracks actions of Users, Reviewers, Approvers
- Tracks changes to data
- These types of data audit trails shall be reviewed every time the data is being reviewed. Review needs to include data + meaningful metadata
0 Comments