Machine Translated by Google

1 Chapter 4: Documentation

2 Reasons for changes: The GMP/GDP Inspectors Working Group and the PIC/S Committee jointly 3 recommended
that the current version of Chapter 4, on documentation, is revised to reflect changes in 4 regulatory and manufacturing
environments. The revised guideline clarifies requirements and expecta- 5 tions from Regulatory Authorities with
regards to documentation and takes into account related changes 6 for Annex 11 of the GMP Guide.

Document map

Principle

Data governance systems

Risk management

General requirements for documentation

Master Documents

Generation and Control of Documentation

Good documentation practice

Signatures in GMP relevant documentation

Retention of documents

Data Integrity in documentation

Hybrid Systems

Glossary

Page 1 of 17
Machine Translated by Google

7 PRINCIPLE

8 4.1. Documentation constitutes an essential part of the quality assurance system and is key to operating in compliance
9 with GMP requirements. The various types of documents and means used should be fully understood and defined
10 in the regulated user's pharmaceutical quality system.
11

12 4.2. It should be determined by the regulated user which legal provisions apply to documentation
13 considering new technologies, hybrid solutions and services used.
14 4.3. Appropriate documentation practices should be applied with respect to the type of document
15 regardless of the applied technology or service used.
16 4.4. The present document was supplemented by requirements regarding new technologies, hybrid solutions and new
17 services, whereby a risk-based approach as element of a data governance system is considered pivotal for
18 scalability of integrity control measures.
19 4.5. Quality risk management principles should be applied to ensure that the pharmaceutical quality system includes
20 sufficient instructional details. It should facilitate a common understanding of the requirements. In addition to
21 providing for recording of the various pro-cesses and risk-based evaluation of any observations, it should
22 demonstrate the ongoing appli-cation of all requirements.
23

24 4.6. Suitable controls should be implemented using a risk-based approach to ensure the accuracy, integrity, availability,
25 and legibility of documents. Documents should be free from errors and available in human readable form.
26
27 4.7. Documentation may exist in a variety of forms, including paper-based, electronic, or other means (eg photography,
28 imagery, video and audio recordings). The main objective of the documentation system is to establish, control,
29 monitor and record all activities which directly or indirectly impact on all aspects of the quality and safety of
30 medicinal products, using a risk-based approach.
31

32 4.8. Whether documents are created, stored, and managed electronically, paper based, by other means or through a
33 hybrid system, they must meet the same GMP requirements for legibility, accuracy, integrity, and completeness
34 throughout the whole lifecycle. This also applies when documentation is outsourced.
35

36 4.9. There are two primary types of documentation used to manage and demonstrate GMP compli-
37 ance:
38 i. instructions (directions, requirements) and records/
39 ii. reports.

40 DATA GOVERNANCE SYSTEMS

41 4.10. Regardless of how documents are created, handled, stored, and managed (ie, using elec-tronic, paper-based, or
42 hybrid systems), the regulated user should establish a data governance system integral to the pharmaceutical
43 quality system to define, prioritise and communicate their data integrity risk management activities. Arrangements
44 for data governance should be documented and reviewed regularly.
45

46 4.11. Regulated users should design and operate a data governance system which provides an ac-ceptable state of
47 control based on the risk assessment, which is documented with supporting rationale. A data governance system
48 should be consistent with the principles of quality risk management.
49

50 4.12. To ensure integrity of data the governance system should cover the entire data lifecycle and ensure controls
51 commensurate with the principle of quality risk management. The data lifecycle-cle should refer to:
52
53 i. Creation and recording of data.
54 ii. Processing of (raw) data to reported (derived) data.

Page 2 of 17
Machine Translated by Google

55 iii. Verification of completeness, consistency and accuracy of all data (raw and derived
56 data). For derived data the traceability which allows reconstruction of all data pro-cessing activities
57 should be maintained.
58 iv. Decision making relying on data (or derived data).
59 v. Retaining, archiving and retrieval of data. To protect it from loss or unauthorized al-teration it should
60 be commensurate with the principles of quality risk management.
61 vi. Retirement or destruction of data at the end of the lifecycle in a controlled manner.
62 4.13. Data governance systems should rely on a risk management approach and consider: i. Data criticality
63 (impact to decision making and product quality) and
64 ii. Data risk (opportunity for data alteration and deletion, and likelihood of detection / visibility of changes by the
65 regulated user's routine review processes).
66 4.14. Data governance systems should rely on the incorporation of suitably designed systems, the use of technologies
67 and data security measures, combined with specific expertise to ensure that data integrity is effectively controlled
68 over the data lifecycle.
69 4.15. Data governance systems should address data ownership throughout the entire lifecycle.
70 4.16. Data governance systems should consider the design, operation and monitoring of processes and systems to
71 comply with the principles of data integrity.
72 4.17. Data governance systems should consider risk mitigation. The effectiveness of risk mitigation measures should
73 be reviewed regularly, regardless of whether they are temporary or perma-nent. Residual risks should be
74 reviewed periodically and communicated to management.
75 4.18. Data governance systems should consider and ensure the periodic review of service provider's data management
76 policies and risk control strategies intended to minimize potential risks to data integrity. The frequency of such
77 reviews should be based on the criticality of the services provided, using risk management principles.
78

79 RISK MANAGEMENT

80 4.19. The regulated user should adopt a risk-based approach in documentation throughout the entire lifecycle of data,
81 regardless of the technology, hybrid solution or service used and should demonstrate an understanding for data
82 criticality, data risk and data quality.
83 4.20. Controls over the data lifecycle should be established which are commensurate with the prin-ciples of quality risk
84 management. The depth of data governance and risk management activ-ities should be justified and
85 commensurate with the risks to product quality and patient safety.
86 4.21. Decisions on the extent of measures to ensure data integrity should be based on a documented rationale and
87 documented risk assessment taking into consideration data criticality and data risk.
88
89 4.22. Irrespective of processes used to generate electronic data, they must be included in the re-requirements for the
90 qualification or validation of the relevant computerized systems according to Annex 11.
91

92 GENERAL REQUIREMENTS FOR DOCUMENTATION

93 4.23. The pharmaceutical quality system should describe all documents required to ensure product quality and patient
94 safety. Documents may be created, recorded, provided, approved, commu-nicated, stored, and archived
95 electronically, paper based or in a hybrid system. process analytical technologies) is supported by automatic
96 validation scripts or artificial intelligence (Annex 22).
97
98
99
100
101 4.24. The accountability for the integrity of documents, records or (raw) data produced or processed Page 3 of 17
Machine Translated by Google

102 with artificial intelligence or any other automatic means (eg validation scripts) rests with the regulated
103 user.
104 4.25. The support by any automatic means (eg validation scripts or artificial intelligence) should be
105 included in a pharmaceutical quality system regardless of the service located on premise or as a
106 hosted service. The records created electronically should enable a trend analysis of quality-critical
107 data.
108 4.26. To ensure data processed integrity, data which is recorded or electronically should not be converted
109 to or stored in a paper form unless it meets the requirements set out in section 13 “hybrid systems”
110 or the conversion is validated or verified for accuracy.

111 MASTER DOCUMENTS

112 4.27. Specifically required master documents (not exhaustive list):
113 i. Site Master File: Refer to EU GMP Guidelines, Volume 4 “Explanatory Notes on the
114 preparation of a Site Master File”.
115 ii. Validation Master Plan: A document describing the key elements of the site qualification and
116 validation program. Master documents should be evaluated and reviewed on a regular basis.
117
118 iii. Instructions (directions, or requirements) type:
119 - Specification: Refer to glossary for definition
120 - Manufacturing Formulae, Processing, Packaging and Testing Instruction: Pro-vide
121 complete detail on all the starting materials, equipment, and computerized sys-tems (if
122 any) to be used and specify all processing, packaging, sampling, and testing instructions
123 to ensure batch to batch consistency. In-process controls and process an-alytical
124 technologies to be employed should be specified where relevant, together with acceptance
125 criteria.
126 - Procedures: (Otherwise known as Standard Operating Procedures, or SOPs), docu-mented
127 set of instructions for performing and recording operations.
128 - Protocol: defined set of activities to provide instructions for performing and record-
129 ing certain discreet operations.
130 - Technical / Quality Agreement: Written proof of agreement between contract givers and
131 acceptors for outsourced activities.
132 iv. Record/Report type:

133 - Record: Provide evidence of various actions taken to demonstrate compliance with
134 instructions, eg activities, events, investigations, and in the case of manufactured batches
135 a history of each batch of product, including its distribution. Records in-clude the raw
136 data which is used to generate other records. For electronic records regulated users
137 should define which data are to be used as raw data. At least, all data on which quality
138 decisions are based should be defined as raw data.
139 Records can also exist as hybrid records which is a combination of paper records, electronic records
140 or by other means. The completeness and integrity of records, in-cluding all relevant raw data and
141 meta data should be ensured and protected based on risk.
142

143 - Certificate of Analysis: Provide a summary of testing results on samples of products

144 or materials1 together with the evaluation for compliance to a stated specification.

1 Alternatively,
the certification may be based, in-whole or in-part, on the assessment of real time data (summar-ies
and exception reports) from batch related process analytical technology (PAT), parameters or metrics as per
the approved marketing authorization dossier.
Page 4 of 17
Machine Translated by Google

145 - Report: Document the conduct of exercises, studies, assessments, projects or inves-
146 tigations, together with results, conclusions and recommendations.

147 Specifications
148 4.28. There should be approved and updated specifications for starting and packaging materials,
149 intermediate, bulk, finished products, process aids and other quality critical material, as ap-
150 plicable. Specifications should include all attributes which are relevant for product quality on
151 each stage of material or manufacture.
152 Specifications for starting and packaging materials
153 4.29. Specifications for starting and primary or printed packaging materials should include the prod-
154 uct and its reference code, if applicable:
155 i. A description of the materials, including:
156 • The designated name and the internal code reference.
157 • The reference, if any, to a pharmacopeial monograph.
158 • The approved suppliers and, if applicable, the original producer of the material.
159 • A specimen of printed materials.
160 ii. Directions for sampling and testing.
161 iii. Qualitative and quantitative requirements with acceptance limits.
162 iv. Storage conditions and precautions.
163 v. The maximum period of storage before re-examination.
164 Specifications for intermediate and bulk products
165 4.30. Specifications for intermediate and bulk products should be available for critical steps or if
166 these are purchased or dispatched. The specifications should be similar to specifications for
167 starting materials or for finished products, as appropriate.
168 Specifications for finished products
169 4.31. Specifications for finished products should include or provide reference to:
170 vi. The designated name of the product and the code reference where applicable.
171 vii. The formula.

172 viii. A description of the pharmaceutical form and package details.

173 ix. Directions for sampling and testing.
174 x. The qualitative and quantitative requirements, with the acceptance limits.
175 xi. The storage conditions and any special handling precautions, where applicable.
176 xii. The shelf-life.
177
178 Manufacturing Formulas and Processing Instructions
179 4.32. Approved, written Manufacturing Formula and Processing Instructions should exist for each
180 product and batch size to be manufactured.
181 4.33. The Manufacturing Formula should include:
182 i. The name of the product, with a product reference code relating to its specification.
183 ii. A description of the pharmaceutical form, strength of the product and batch size.
184 iii. A list of all starting materials to be used, with the amount of each, described;
Page 5 of 17
Machine Translated by Google

185 mention should be made of any substance that may disappear while processing, of
186 processing aids needed or any other material relevant for product quality.
187 iv. A statement of the expected final yield with the acceptable limits, and of relevant in-
188 termed yields, where applicable.
189 4.34. The Processing Instructions should include:
190 i. A statement of the processing location and the principal equipment to be used.
191 ii. The methods, or reference to the methods, to be used for preparing the critical equip-
192 ment (eg cleaning, assembling, calibrating, sterilizing).
193 iii. Checks that the equipment and workstation are clear of previous products, docu-
194 ments or materials not required for the planned process, and that equipment is clean and suitable
195 for use.

196 iv. Detailed stepwise processing instructions [eg checks on materials, pre-treatments, sequence for
197 adding materials, critical process parameters (time, temp etc)].
198 v. The instructions for any in-process controls with their limits.
199 vi. Where necessary, the requirements for bulk storage of the products; including the container,
200 labeling and special storage conditions where applicable.
201 vii. Any special precautions to be observed.

202 Packaging Instructions

203 4.35. Approved Packaging Instructions for each product, pack size and type should exist.
204 should include, or have a reference to, the following:
205 i. Name of the product; including the batch number of bulk and finished product.
206 ii. Description of its pharmaceutical form, and strength where applicable.
207 iii. The pack size expressed in terms of the number, weight or volume of the product in
208 the final container.

209 iv. A complete list of all the packaging materials required, including quantities, sizes and types,
210 with the code or reference number relating to the specifications of each packaging material.
211
212 v. Where appropriate, an example or reproduction of the relevant printed packaging materials,
213 and specimens indicating where to apply batch number references, and shelf life of the
214 product.
215 vi. Checks that the equipment and workstation are clear of previous products, docu-ments or
216 materials not required for the planned packaging operations (line clear-ance), and that
217 equipment is clean and suitable for use.
218 vii. Checks on functioning of any electronic code readers, label counters or similar de-
219 vices.

220 viii. Special precautions to be observed, including a careful examination of the area and
221 equipment in order to ascertain the line clearance before operations begin.
222 ix. A description of the packaging operation, including any significant subsidiary operations, and
223 equipment to be used.
224 x. Details of in-process controls with instructions for sampling and acceptance limits.

225 Batch Processing Record

226 4.36. A Batch Processing Record should be kept for each batch processed. It should be based on Page 6 of
17
Machine Translated by Google

227 the relevant parts of the currently approved Manufacturing Formula and Processing Instructions,
228 and should contain the following information:
229 i. The name and batch number of the product.
230 ii. Dates and times of commencement, of significant intermediate stages and of comple-
231 tion of production.
232 iii. Identification (initials) of the operator(s) who performed each significant step of the
233 process and, where appropriate, identification (initials) of the person who checked
234 these operations.
235 iv. The batch number and/or analytical control number as well as the quantities of each
236 starting material weighed (including the batch number and amount of any recovered or
237 reprocessed material added).
238 v. Any relevant processing operation or event and major equipment used.
239 vi. A record of the in-process controls and the initials of the person(s) carrying them out,
240 and the results obtained.
241 vii. The product yield obtained at different and pertinent stages of manufacture.
242 viii. Notes on special problems including details, with signed authorization for any devia-tion
243 from the Manufacturing Formula and Processing Instructions.
244 ix. Approval by the person responsible for the processing operations.
245 Note: Where a validated process is continuously monitored and controlled, then automatic-
246 cally generated reports may be limited to compliance summaries and exception/ out-of-
247 specification (OOS) data reports.
248 With regards to decision making in manufacturing supported by automatic validation scripts or
249 artificial intelligence refer to paragraph 4 of this document.

250 Batch Packaging Record

251 4.37. A Batch Packaging Record should be kept for each batch or part batch processed. It should be
252 based on the relevant parts of the Packaging Instructions.
253 4.38. The batch packaging record should contain the following information:
254 i. The name and batch number of the product.
255 ii. The date(s) and times of the packaging operations.
256 iii. Identification (initials) of the operator(s) who performed each significant step of the process and,
257 where appropriate, the name of any person who checked these opera-tions.
258
259 iv. Records of checks for identity and conformity with the packaging instructions, in-
260 including the results of in-process controls.
261 v. Records of checks that the equipment and workstation are clear of previous products,
262 documents or materials not required for the planned packaging operations (line clear-
263 ance), that equipment is clean and suitable for use, and that any electronic code reader-
264 ers, label counters or similar devices are functioning as expected.
265 vi. Details of the packaging operations carried out, including references to equipment
266 and the packaging lines used.
267 vii. Whenever possible, samples of printed packaging materials used, including speci-mens
268 of the batch coding, expiry dating and any additional overprinting.
269 viii. Notes on any special problems or unusual events including details, with signed

Page 7 of 17
Machine Translated by Google

270 authorization for any deviation from the Packaging Instructions.

271 ix. The quantities and reference number or identification of all printed packaging mate-rials
272 and bulk product issued, used, destroyed or returned to stock and the quantities of
273 obtained product, to provide for an adequate reconciliation. Where there are vali-
274 dated electronic controls in place during packaging there may be justification for not
275 including this information
276 x. Approval by the person responsible for the packaging operations.

277 Receipt
278 4.39. There should be written procedures and records for the receipt of each delivery of each
279 starting material, (including bulk, intermediate or finished goods), primary, secondary and
280 printed packaging materials and QC-samples. The records of the receipts should include:
281 i. The name of the material on the delivery notes and the containers.
282 ii. The "in-house" name and/or code of material (if different from a).
283 iii. Date of receipt.
284 iv. Supplier's name and, manufacturer's name.
285 v. Manufacturer's batch or reference number.

286 vi. Total quantity and number of containers received.

287 vii. The batch number assigned after receipt.
288 viii. Any relevant comment.
289 ix. If applicable, proof of verification that temperature during transportation were within
290 the approved limit.
291 4.40. There should be written procedures for the internal labelling, quarantine and storage of start-
292 ing materials, packaging materials, QC samples and other materials, as appropriate.

293 Sampling
294 4.41. There should be written procedures for sampling, which include the methods and equipment
295 to be used, the amounts to be taken and any precautions to be observed to avoid contamination
296 of the material or any deterioration in its quality (reference to EU GMP Guideline Volume 4,
297 Chapter 6 “Quality Control”).

298 Testing
299 4.42. There should be written procedures for testing materials and products at different stages of
300 manufacture, describing the methods and equipment to be used. The tests performed should
301 be recorded (reference to EU GMP Guideline Volume 4, Chapter 6 “Quality Control”).

302 Other
303 4.43. Written release and rejection procedures should be available for materials and products, and
304 in particular for the certification for sale of the finished product by the Qualified Person(s).
305 All records should be available to the Qualified Person at the time of the release decision. A
306 system should be in place to indicate special observations and any changes to critical data.
307 4.44. Records should be maintained for the distribution of each batch of a product in order to facil-
308 itate recall of any batch, if necessary.
309 4.45. There should be written policies, procedures, protocols, reports and the associated records of
310 actions taken, or conclusions reached, where appropriate, for GMP relevant actions, including
Page 8 of 17
Machine Translated by Google

311 but not limited to the following examples:

312 i. Validation and qualification of processes, equipment and systems.
313 ii.Equipment assembly and calibration.
314 iii. Data integrity.
315 iv. Technology transfer.
316 v. Maintenance, cleaning and sanitation.
317 vi. Personnel matters including signature lists, training in GMP and technical matters,
318 clothing and hygiene and verification of the effectiveness of training.
319 vii.Environmental monitoring.
320 viii. Pest control.

321 ix. Complaints.

322 x. Recalls.

323 xi. Returns.

324 xii. Change control.

325 xiii. Investigations into deviations.
326 xiv. non-conformances eg out of specifications.
327 xv. Internal quality/GMP compliance audits.
328 xvi. Summary of records where appropriate (eg product quality review).
329 xvii. Supplier audits.
330 4.46. Clear operating procedures should be available for major items of manufacturing and test
331 equipment.
332 4.47. Logbooks should be kept for major or critical analytical testing, production equipment, and
333 areas where product has been processed or handled. They should be used to record in chron-
334 ological order, as appropriate, any use of the area, equipment/method, calibrations, mainte-
335 nance, cleaning or repair operations, including the dates and identity of people who carried
336 these operations out.
337 4.48. An inventory of documents within the pharmaceutical quality system should be maintained.

338 GENERATION AND CONTROL OF DOCUMENTATION

339 4.49. All types of documents (instructions and/or records) should be defined and adhered to
340 regardless of the documentation technology, hybrid solution or service. for documents should
341 be im-plemented to ensure the completeness, integrity and legibility of the records through-
342 out the lifecycle.
343
344
345
346
347
348 4.50. Documents should be designed, prepared, reviewed, and distributed in a controlled manner. They should
349 comply with the relevant parts of Product Specification Files, Manufacturing and Marketing Authorization
350 dossiers, or dossiers of Investigational Medicinal Products, as appropriate. The reproduction of working
351 documents from master documents should not allow any error or alteration to be introduced through
352 Page 9 of 17
Machine Translated by Google

353 the reproduction process.

354 4.51. Documents should be regularly reviewed and kept up to date. Documents should be approved, signed,
355 and dated by appropriate and authorized personnel. Documents should have unambiguous contents
356 and be uniquely identifiable. The effective date should be defined.
357
358 4.52. Documents containing instructions should be laid out in an orderly fashion and be easy to
359 review. The style and language of documents should fit with their intended use. Standard
360 operating procedures, work instructions and methods should be written in an imperative
361 mandatory style by using predefined format. Data entry formats for completion of documents
362 should be clearly defined. Written instructions may be sup-ported with pictures, photos or
363 videos. The documents containing the instructions should be easily accessible at the place
364 where the described activities are carried out.
365 4.53. Instructions and procedures within the Quality Management System should be regu-larly
366 reviewed and kept updated.
367 4.54. The issuance, revision, superseding and withdrawal of all documents should be con-
368 trolled with maintenance of revision histories.
369 4.55. Hand-written instructions are discouraged. Where documents require the manual entry of
370 data, sufficient space should be provided for such entries to ensure adequately clear and
371 legible manual recording.

372 GOOD DOCUMENTATION PRACTICE

373 4.56. Good Documentation practices are key to data integrity, and a fundamental part of a well-
374 designed pharmaceutical quality system.
375 4.57. Procedures outlining good documentation practices and arrangements for document control
376 should be available within the pharmaceutical quality system. Good documen-tation practices
377 should be implemented and enforced to ensure data integrity.
378 4.58. Data entries should be accurate, and made in clear, legible, indelible way. Recorded media
379 should be durable throughout the retention period. If this is not feasible, then true copies
380 should be generated. For this case a documented system should be in place to verify and
381 record the integrity of the copy.
382 4.59. Records should be made or completed at the time each action is taken and in such a way
383 that all GMP activities are traceable. It should be possible to identify the individ-ual or the
384 system that performed the task and when the task was performed.
385 4.60. Any alteration made to the entry on a document should be signed by the individual who made
386 the change and dated; the alteration should permit the reading of the original information.
387 Where appropriate, the reason for the alteration should be recorded.
388 4.61. Records need to be a truthful and consistent representation of facts to ensure the ac-curacy
389 of information, including data that is used to make critical decisions about the quality of
390 products.
391 4.62. Specific controls should be implemented to ensure the integrity of raw data and results
392 recorded on paper. These may include, but are not limited to:
393 i. control over the issuance and use of loose paper sheets (blank forms) at the time of
394 recording data.
395 ii. control over the issuance of bound, paginated notebooks.
396 iii. control over the issuance and reconciliation of sequentially numbered copies of
Page 10 of 17
Machine Translated by Google

397 blank forms with authenticity controls.

398 iv. Control that raw data is contemporaneously and accurately recorded by permanent
399 means.

400 4.63. Basic data integrity principles (table 1) applicable to both paper and electronic systems
401 (i.e. ALCOA++):
402
403 Table 1: Data integrity principles
Attributes Requirement
Attributable It should be possible to identify the individual or
computerized system that performed a recorded task and
when the task was performed. This also applies to any
changes made to records, such as corrections, deletions,
and changes where it is important to know who made a
change, when, and why.

Legible All records should be legible – the information should be

readable and unambiguous in order to be understandable
and of use. This applies to all information that would be
required to be considered complete, including all original
records or entries. Where the 'dynamic' nature of elec-
tronic data (the ability to search, query, trend, etc.)
is important to the content and meaning of the record,
the ability to interact with the data using a suitable
application is important to the 'availability' of the record.

Contemporaneous The evidence of actions, events or decisions should

be recorded as they take place. This doc-umentation
should serve as an accurate attesta-tion of what was
done, or what was decided and why, ie what influenced
the decision at that time.

Original The original record can be described as the first

capture of information, whether recorded on pa-per
(static) or electronically (usually dynamic, depending on
the complexity of the system). In-formation that is
originally captured in a dy-namic state should remain
available in that state.
Accurate Records need to be a truthful representation of facts to
be accurate.
Ensuring records are accurate is achieved through
many elements of a robust pharmaceutical-cal quality
system.
This can be comprised of: •
equipment related factors such as quali-fication,
calibration, maintenance, and computer
validation. • policies and
procedures to control ac-
tions and behaviors, including data re-view
procedures to verify adherence to procedural
requirements.

Page 11 of 17
Machine Translated by Google

• deviation management including root

cause analysis, impact assessments and CAPA.

• trained and qualified personnel who un-derstand the

importance of following established procedures
and document-ing their actions and decisions.

Together, these elements aim to ensure the accu-racy of

information, including scientific data that is used to
make critical decisions about the quality of products.

Complete All information that would be critical to recreating an event

is important when trying to under-stand the event. It is
important that information is not lost or deleted. The level
of detail required for an information set to be considered
complete would depend on the criticality of the inform-
mation. A complete record of data generated
electronically includes relevant metadata.

Consistent Information should be created, processed, and stored in

a logical manner that has a defined consistency. This
includes policies or proce-dures that help control or
standardize data (eg chronological sequencing, date
formats, units of measurement, approaches to rounding,
signifi-cant digits, etc.).

Enduring Records should be kept in a manner such that they exist

for the entire period during which they might be
needed. This means they need to remain intact and
accessible as an indelible/du-rable record throughout the
record retention pe-riod.

Available Records should be available for review at any time during

the required retention period, acces-sible in a readable
format to all applicable per-sonnel who are responsible
for their review whether for routine release decisions,
investiga-tions, trending, annual reports, audits or inspec-
tions.

Traceable
Traceability is the ability to trace the his-story,
modification or location of data by means of
recorded identifications.

404

405 SIGNATURES IN GMP RELEVANT DOCUMENTATION

406 4.64. Signatures are essential for ensuring accountability for activities in a GMP environ-ment at the time points the
407 signatures are executed.

408 4.65. A signature represents the legally binding will of the signatory. The signatory should sign with date and time. If
409 signatures by initials are in use a procedure defining abbre-viated signatures should be in place.
410
Page 12 of 17
Machine Translated by Google

411 4.66. The identification of the signatory should be possible. Data or documents which are associated with the
412 signature should be clearly identified. The meaning of the signa-ture (such as review, approval,
413 responsibility, or authority) associated with the sig-nature should be clear.
414
415 4.67. The regulated user should establish a signature policy to ensure the adequate application
416 of signatures. Personnel authorized to sign should be clearly identified by name and bound
417 by name to the signature policy.
418 4.68. The regulated user should have identified those records which require a legally bind-
419 ing signature.
420 4.69. Signatures should be indisputable and traceable to the signatory and the signed document
421 or record, regardless, if a signature is applied on paper or electronically.
422 4.70. If records exist electronically such records should be signed electronically. The use of a
423 hybrid system should be avoided. If signatures exist parallel in paper and electronically (eg
424 in hybrid systems), the regulatory relevant signature should be defined by the regulated user.
425
426 4.71. The signatory should be qualified and authorized to perform the relevant tasks or re-
427 views.
428 4.72. The regulated user should define the signatory's role and responsibility in the signa-
429 tion process.
430 4.73. The regulated user should ensure that the signatory's role and qualification is con-
431 sistent with the meaning (intent) of a signature.
432 4.74. To ensure the integrity of signatures during the whole life cycle of data the regulated user
433 should establish the management and control of signatures as an element of a data
434 governance system.
435 4.75. The data or documents which the signature is relevant for should fulfil the ALCOA++
436 principles.
437

438 RETENTION OF DOCUMENTS

439 4.76. It should be clearly defined which record is related to each activity and where this record is
440 located, regardless of the technology, hybrid solution or service used. Risk-based control
441 methods should be in place to ensure the integrity of the record through-out the lifecycle.
442 The control measures should be covered by the validation scope. In case of electronic
443 recording such measures should include back-up, restore and ar-chiving procedures as
444 well as physical and logical controls. If the regulated user on hosted services, it is the
445 responsibility of the regulated user to understand, approve and justify the control measures
446 of the hosted service provider based on a service level agreement. Records should be
447 available for review at any time during the required retention period, accessible in a human
448 readable format to all applicable personnel.
449 4.77. Specific requirements apply to batch documentation which must be kept for one year after
450 expiry of the batch to which it relates or at least five years after certification of the batch by
451 the Qualified Person, whichever is the longer. For investigational medic-inal products, the
452 batch documentation must be kept for at least five years after the completion or formal
453 discontinuation of the last clinical trial in which the batch was used. Other requirements for
454 retention of documentation may be described in legisla-tion in relation to specific types of
455 products (eg Advanced Therapy Medicinal

Page 13 of 17
Machine Translated by Google

456 products derived from human blood or human plasma) and specify that longer retention
457 periods be applied to certain documents.
458 4.78. For other types of documentation, the period retention will depend on the business activity
459 which the documentation supports. Critical documentation, including raw data (for example
460 relating to validation or stability), which supports information in the Marketing Authorization
461 should be retained whilst the authorization remains in force.
462 It may be considered acceptable to retire certain documentation (eg raw data sup-porting validation
463 reports or stability reports) where the data has been superseded by a full set of new data. Justification
464 for this should be documented and should consider
465 the requirements for retention of batch documentation; for example, in the case of process validation
466 data, the accompanying raw data should be retained for a period at least as long as the records for all
467 batches whose release has been supported on the basis of that validation exercise.
468
469 4.79. A documented process for the disposal of records should be in place to ensure that the
470 correct original records or true copies are disposed only after the defined retention period.
471 Measures should be in place to reduce the risk of deleting the wrong docu-ments. The
472 access rights allowing disposal of records should be controlled.

473 DATA INTEGRITY IN DOCUMENTATION

474 4.80. The method of documentation should be integrated in the regulated user's pharmaceutical quality
475 system. Documents or records should be controlled in a risk-based ap-preach regardless of whether
476 located in-house or in the form of hosted services. The regulated user should apply the principles of
477 data integrity, data criticality and data risk within a data governance system and should consider the
478 complete lifecycle of data. The data governance system should be an element of the pharmaceutical
479 quality system. integrity should be de-fined.
480
481
482 4.81. Risk based control measures should be commensurate with the type and the complexity of
483 a system. The pharmaceutical quality system should interface with independent review
484 practices to detect risks to data integrity. Risks from human factors should be considered
485 for effectively ensuring data integrity Risk-reducing measures such as sec-ond person
486 oversight, verification and checks should be implemented where appropri-ate and in the
487 appropriate time to ensure critical process and testing steps are accu-rately and
488 contemporaneously recorded.

489 HYBRID SYSTEMS

490 4.82. They should be clearly defined and identified, and each contributing element of the system
491 validated and controlled according to risk management principles.
492 4.83. A detailed description of the entire system should be available. The description should
493 outline all major components, their functions, and interactions with each other as well as
494 control for data management and data integrity. Procedures and records should be available
495 to manage and appropriately control the interface between manual and computerized
496 systems.
497 4.84. Appropriate quality risk management principles should be followed when assessing, defining,
498 and demonstrating the effectiveness of control measures applied to the sys-
499 tem.
500 4.85. Procedures should be in place to manage the review of data generated by hybrid
Page 14 of 17
Machine Translated by Google

501 systems which clearly outline the process for the evaluation, approval and archiving of electronic
502 and paper-based data.

503 GLOSSARY

504 ALCOA++ 505 An acronym for “attributable, legible, contemporaneous, original and accu-
506 rate”, which puts additional emphasis on the attributes complete, consistent,
enduring, available and traceable – implicit basic ALCOA principles.

507 Archiving 508 Long term, or permanent retention of completed documentation and relevant
509 metadata in its final form for the purposes of reconstruction of a process or
activity.

510 Automated script A piece of code used to automate repetitive processes

511 Data 512 The contents of the record. Data may be defined as measurable or descriptive
attribute of a physical entity, process, or event.

513 Data governance 514 The total sum of arrangements to ensure that data, irrespective of the format in
515 which it is generated, recorded, processed, retained and used, will be attribut-
516 able, legible, contemporaneous, original, accurate, complete, consistent, en-
during, and available throughout the data lifecycle.

517 Data integrity 518 Data integrity refers to the completeness, consistency, and accuracy of data.
519 Complete, consistent, and accurate data should be attributable, legible, con-
520 temporaneously recorded, original or a true copy, accurate and traceable (AL-
COA++).

521 Data lifecycle 522 All processes related to the creating, recording, processing, reviewing, chang-
523 ing, analyzing, reporting, transferring, storing, migrating, archiving, retrieving,
and deleting of data.

524 Data management 525 The set of all methodological, conceptual, organizational and technical
526 measures and procedures for handling data with the aim of incorporating it into
business processes.
527 Data risk 528 The combination of the probability of occurrence of harm and the severity of
529 that harm related to data (incompleteness, alterations or loss which compro-
mise the integrity of data).

530 Data Criticality 531 The degree of influence that data have on product safety as well as the
regulatory compliance of processes, decisions and product quality.

532 Data Risk Management An activity to be applied throughout the lifecycle of data considering the need 533 to ensure
data integrity. Risk management consists of risk identification, risk 534 assessment, risk mitigation and risk control. Risk
management should link to 535 other relevant procedures (eg configuration and change management, man- 536
agement processes for data, business risks, etc.).

537 Data Risk Assessment The process of evaluating the risks associated with the regulated user's data.
538 ensures an efficient and effective approach to data integrity by considering the 539 vulnerability of data to involuntary or deliberate

alteration resulting in risk- 540 based control measures.

Page 15 of 17
Machine Translated by Google

541 Data ownership 542 The allocation of responsibilities for control of data to a specific process owner. Companies
543 should implement systems to ensure that responsibilities for systems and their data are
544 appropriately allocated, and responsibilities under-taken.

545 Data quality 546 The degree to which a set of inherent characteristics (quality dimensions) of data fulfils
547 requirements.
548 Data should be fit for use in their intended operational, decision-making, and other roles and
549 should exhibit conformance to regulatory standards that have been set, so that fitness for use
is achieved.

550 Document 551 A formatted compilation of data. Operations and activities that are memorial-ized in (electronic)
552 records may consist of one or more documents that describe the activity in a moment of time.

553 Electronic records 554 Any combination of text, graphics, data, audio, pictorial, or other information representation in
555 digital form that is created, modified, maintained, archived, retrieved, or distributed by a
computer system.

556 Hybrid system A combination of paper based and electronic means.

557 Homogenous systems A system that is either paper or electronically based on-premises or a cloud 558
service.

559 Meta data 560 Describe the attributes of data and provides context and meaning. Metadata is any information
561 used for the identification, description, and relationships of electronic records or their elements.
562 Metadata gives data meaning, provides context, defines structure, and enables retrievability
563 across systems, and usa-bility, authenticity, and auditability across time.

564 Raw Data 565 Raw data is defined as the original record (data) which can be described as the first capture of
566 stored information, whether recorded on paper or electronically.
567 Information that is originally captured in a dynamic state should remain available in that state.

568 Record 569 Memorializes, or makes information permanent about, an action, activity and event that caused
its creation.

570 Regulated user 571 Marketing Authorization Holder, Manufacturers, control laboratories, import-ers, and wholesale
572 distributors (if the wholesale distributor holds a manufac-turing license).

573 Risk based approach for data integrity

574 A process to define critical data, documents and the actions used to monitor activities like
575 capturing, derivation, migration, storage, communication and archiving to ensure that data
576 and documents remain in a state of control through-out the entire lifecycle and to maintain its
577 integrity.

578 Specification 579 A list of tests, references to analytical procedures, and appropriate acceptance criteria that are
580 numerical limits, ranges, or other criteria for the test described.
581 It establishes the set of criteria to which a material should conform to be con-
582 sidered acceptable for its intended use. “Conformance to specification” means that the material,
583 when tested according to the listed analytical procedures, will meet the listed acceptance
criteria.
Page 16 of 17
Machine Translated by Google

584 True copy 585 An exact copy of original documentation that preserves the same content,
586 meaning and attributes of the original. The term “true copy” is synonymous
with “certified” or “verified copy”.

587 Type of service On-premises IT service or outsourced hosted (cloud) IT service

588 Verified copy Refer to definition of true copy

589 Data Risk Assessment The process of evaluating the risks associated with the regulated user's data.

Page 17 of 17