Company Logo

Standard Operating Procedure QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page 1 of 41

El-Nile Pharmaceutical Co.

Title: Computerized System Data Integrity

Approval Function Name Sign / Date.

Compliance &
Prepared by Validation Section xxxxx
Head
Documentation Section
Reviewed By xxxxx
Head
Approved By QA Manager xxxxx

DOCUMENT HISTORY
Issue No. Effective Date Page No. Changes History
001

Review Date Review Stamp

Copy No. Stamp Document Stamp

QA001/F01
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

1. Purpose:
1.1. To describe the framework for ensure compliance of GXP computerized systems with data
integrity regulatory requirements
2. Scope:
2.1. All El-Nile pharmaceutical Co. GXP computerized systems and associated records including
both legacy and new systems.
2.2. Manual records are excluded from this SOP as they are covered in data integrity governance of
manual records SOP
3. Responsibilities:
3.1. QA specialist
3.2. QA section head
3.3. All departments’ managers and Section Heads
3.4. QA Manager or designee
3.5. IT Manager
4. ATTACHMENTS
4.1. Attachment 1: Computerized system data integrity program template
4.2. Attachment 2: List of authorized personnel template
4.3. Attachment 3: Archiving request form
4.4. Attachment 4: Data integrity assessment survey
4.5. Attachment 5: Data integrity program deployment flowchart
4.6. Attachment 6: Legacy system data integrity governance flowchart.
5. DEFINITIONS

5.1. Data integrity: is the degree of completeness, consistency, and accuracy of data. Complete,
consistent, and accurate data should be attributable, legible, contemporaneously recorded, original
or a true copy, and accurate.

5.2. Data governance: the general arrangements to ensure that data (irrespective of the format in
which they are generated) are recorded, processed, retained and used to ensure the record
throughout the data lifecycle.

5.3. Computerized system: a system that collectively controls the performance of one or more
automated processes and/or functions. It includes computer hardware, software, peripheral devices,
networks and documentation, e.g. manuals and standard operating procedures, as well as the
personnel interfacing with the hardware and software, e.g. users and information technology
support personnel.

5.4. Original record (primary record): a record which can be described as the first-capture of
information, whether recorded on paper or electronically.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

5.5. True copy: a copy (irrespective of the type of media used) of the original record that has been
verified (i.e. by a dated signature or by generation through a validated process) to have the same
information, including data that describe the context, content, and structure, as the original.

5.6. Metadata: is the contextual information required to understand data. A data value is by itself
meaningless without additional information about the data. Metadata is often described as “data
about data”. Metadata is structured information that describes, explains, or otherwise makes it
easier to retrieve, use, or manage data e.g. the number “89” is meaningless without metadata, such
as an indication of the unit “ml.” Among other things, metadata for a particular piece of data could
include a date/time stamp for when the data were acquired, a user ID of the person who conducted
the test or analysis that generated the data, the instrument ID used to acquire the data, audit trails,
etc.

5.7. Audit trail: is a secure, computer-generated, time-stamped electronic record that allows for
reconstruction of the course of events relating to the creation, modification, or deletion of an
electronic record. An audit trail can be considered a form of metadata that is provided for secure
recording of data life cycle details. An audit trail is a chronology of the “who, what, when, and
why” of a record.

5.8. Good practices (GXP): It is a term (or acronym) describing the group of good practice guides
governing activities for regulated pharmaceuticals, biological and medical devices, such as good
laboratory practices, good clinical practices, good manufacturing practices, good
pharmacovigilance practices and good distribution practices.

5.9. Backup: a copy of current (editable) data, metadata and system configuration settings maintained
for recovery including disaster recovery.

5.10. Archive: a designated secure area or facility (e.g. computerized system) for the long term, retention
of data and metadata for the purposes of verification of the process or activity.

5.11. Process owner: personnel who is responsible for managing the process or processes using a
specific system.

5.12. System owner: personnel who is responsible for the availability and readiness of the system to be
used or operated by the process owner.

5.13. Administrator: personnel who has full access rights over a specific system. The main role for
system administrator is access management and system configurations. System owner granted the
administration when system owner is from two different functional area, otherwise system owner
cannot be the administrator due to the likelihood of conflict of interest. In this case, administration is
granted to independent personnel.
Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx
Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

5.14. Data Owner: personnel who is responsible for backup and archival handling, storage and retrieval.
Data owner is usually the administrator, unless otherwise specified.

5.15. Conflict of interest: A situation in which a person is in a position to derive benefit from actions or
decisions made in their official capacity.

5.16. System SOP: an SOP that sets detailed procedure for operating the system (detailed low-level
SOP).

6. ABBREVIATIONS:
CSV : Computerized System Validation
DI : Date Integrity
DQ : Design Qualification
FA : Functional Area
FAH : Functional Area Head
GLP : Good Laboratory Practices
GMP : Good Manufacturing Practices
GXP : Good Practices
IQ : Installation Qualification
IT : Information Technology
KSH : Key stakeholder
OQ : Operation Qualification
PQ : Performance Qualification
QA : Quality Assurance
QC : Quality Control
SOP : Standard Operating Procedure
URS : User Requirement Specifications.

7. REFERENCES:
 International Society for Pharmaceutical Engineering (ISPE). (2017). GAMP Records and data
integrity guide.
 World Health Organization, WHO technical report series. Annex5: Guidance on good data and
record management practice. Extracted from: WHO expert committee on specifications for
pharmaceutical preparations, TRs 996 (fifth report).
 GOOD PRACTICES FOR DATA MANAGEMENT AND INTEGRITY IN REGULATED
GMP/GDP ENVIRONMENTS PIC/S July 2021

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo
Standard Operating Procedure QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page 5 of 41

8. Procedures:

Introduction:
o El-Nile pharmaceutical Co. Computerized system categories:
El-Nile pharmaceutical Co. computerized systems greatly vary depending on complexity and function. El-Nile pharmaceutical Co. adopts the
categorization illustrated in the following organogram and table for their computerized systems and equipment.

Copy No. Stamp Document Stamp

QA001/F01
 Company Logo
Standard Operating Procedure QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page 6 of 41

Category Subcategory Description Typical Examples Minimum Requirements *

A0 Simple (non-configurable) Vortex mixer None
systems that don’t provide Hot plate
measurements and don’t
require calibration.
A1 Simple (non-configurable) Water bath - Only calibration before use.
systems that required
calibration but don’t provide
measurements or results.
Category A: Analytical systems

A2 Simple (non-configurable) Balance - Calibration before use.

systems that require pH meter - GLP-compliant printout with the
calibration and provide following specifications as minimum:
measurements or results. o Permanent readable data.
o Date and time stamp.
o Calibration is protected by a
password, otherwise the last
calibration date is included in
the printout.
A3 Standalone complex UV spectrophotometer - All requirements of this SOP.
(configurable) systems. - Validation for data integrity
specifications (as a part of system
validation).
A4 Networked configurable Empower network system - All requirements of this SOP.
systems. - Validation for data integrity
specifications (as a part of system
validation).
M0 Systems that have no contact Cartooning machine None
with the product during
Category M: Processing or

manufacturing or processing
manufacturing systems

(Non GMP).
M1 Systems that indirectly affect Building management - All requirements of this SOP.
the product during system (BMS) - Validation for data integrity
manufacturing or processing specifications (as a part of system
(GMP). validation).
M2 Systems that directly affect Autoclave - All requirements of this SOP.
the product during Preparation system - Validation for data integrity
manufacturing or processing Filling system specifications (as a part of system
(GMP). validation).
Category IT0 Systems that are not GXP PCs that are used for typing, None
IT: printing, etc.
Information
IT1 Systems that are GXP ERP system - All requirements of this SOP.
technology
(directly or indirectly) - Validation for data integrity
Systems
specifications (as a part of system
validation).

*: the
table determines only the minimum requirements for each category. A system may be in a
subcategory with few requirements and provide features of a higher subcategory (e.g. balance with
access levels). In such case, the requirements of the higher subcategory shall be required.

Copy No. Stamp Document Stamp

QA001/F01
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

o El-Nile pharmaceutical Co. New and legacy system workflows:

EL-NILE PHARMACEUTICAL CO. computerized systems are divided into 2 groups: new systems
and legacy systems.
New systems DI should be managed at the beginning from URS and they should be El-Nile
pharmaceutical Co. fully data integrity requirements compliant (as described in this SOP). Therefore,
the data integrity risk from new systems is expected to be low and be managed through proper
procedural controls.
On the other hand, legacy systems may be compliant on non-compliant to this SOP requirements.
Therefore, legacy system gaps must be clearly identified, properly addressed and their data integrity
risk should be evaluated and managed through planned actions.
Generally, Actions taken to minimize the data integrity risk may be: procedural and administrative
controls (e.g. SOPs and policies), physical controls (e.g. locks and physical barriers), or technical
controls (e.g. software upgrade and system replacement.)

El-Nile pharmaceutical Co. New computerized system DI governance:

1. Initiation and validation:
RESPONSIBILITY ACTIVITY
System owner and process 1. Determine to which category the system belongs to determine DI minimum
owner requirements needed from the system.
2. When filling URS template (xxx) according to Computerized system
validation SOP (xxx), take into consideration data integrity specifications
(according to the categorization and according to the use):
- Access authorization (access levels with desired functions)
- Date and time stamp (as in 2.1)
- Date and time security
- Audit trail format and capacity
- Backup capability
- Printout content
Validation specialist 3. As a part of system validation, ensure that data integrity specifications are
all covered as per URS.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

2. Deployment:
2.1. Date and time security and password policy:

RESPONSIBILITY ACTIVITY
Administrator 1. Adjust date and time according to an accurate clock or via synchronization
with reference clock.
2. Restrict date and time change to an administrator user account which is
accessed only by a person with no conflict of interest.
3. If applicable, use the following format for date and time stamp:
Date dd/mm/yyyy or dd/mmm/yyyy e.g. 27/12/2018 or 27-Dec-2018
Time HH:mm:ss (24 hours) e.g.14:55:43
4. If applicable, set the user account passwords to be automatically changed
every 90 days. Otherwise, procedural controls should be in place (system
SOP) to control password change periodically.
5. Set screensaver or automatic logout time to be 10 minutes.

2.2. Access Management:

RESPONSIBILITY ACTIVITY
System owner, Process 1. Define access levels with their functions needed from the system
owner based on:
a.The activities and process (es) required to be conducted by the users.
b. Different levels of accessibility allowed by the system.
2. Use Computerized System Data Integrity Program Template
(attachment no.1) to document the access matrix that includes and clearly
identifies:
a.Access Levels.
b. Access rights (privileges) for each access level.
c.Training Prerequisites for each access level.
The access matrix should:
a.Be applicable based on the accessibility features allowed by the system.
b. Cover all activities and processes required to be conducted.
c.Avoid granting access rights that lead to conflict of interest.
3. Use List of Authorized Personnel Template (attachment no.2) to:
a.Identify a list of authorized personnel who shall access to the system. If
applicable by the system, identify an alternative administrator with no conflict
of interest who shouldn’t have routine access on the system and should access
only in emergencies (e.g. if the original administrator account is blocked or
deactivated or if the password is lost).
b. Identify system owner, process owner and data owner.
4. In case of systems that doesn’t require access levels, delete the table

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

RESPONSIBILITY ACTIVITY
template and type N/A instead.

2.3. Backup Program:

RESPONSIBILITY ACTIVITY
System owner (and 1. System owner identifies types of data to be backed up which shall include, if
administrator if they are applicable, the following:
different persons) a. Infrastructure software including system configurations.
b. Generated original records and metadata.
2. System owner determines frequency of backup.
3. Administrator determines a method of backup of data generated including:
a. Type of backup: automatic or manual (based on the capability of the system).
b. Detailed procedure of the backup.
c. Location of the backup, which must be secured from intentional or
unintentional abuse or corruption.
4. Administrator conducts initial infrastructure software backup including system
configurations. In case of system software upgrade take backup of the new
version and always keep the old versions as long as they are within retention
period.
5. System owner uses computerized system data integrity program Template
(attachment no.1) to document the previous identified items from 1 to 4.
IT specialist 6. In case the IT is not the administrator, they provide technical support and
technical solution regarding backup process and backup protection if needed

2.4. Audit trail review Program:

There are three main types of audit trail review:
a. Batch audit trail review: review of critical process parameters as a part of normal operational
data review and approval, usually performed by the FA which has generated the data (e.g.
analysis data reviewed by QC).
b. System audit trail review: review of audit trail functionality as a part of periodic review to
ensure they are always enabled and effective, usually performed by an independent area with
no conflict of interest (e.g. periodic audit trail reviewed by quality unit).
c. A tool to be used for investigation as a result of deviations or data discrepancies.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

RESPONSIBILITY ACTIVITY
System owner and 1. Determine in the data integrity program (attachment 1) batch audit trail
process owner program which should include: Parameters that impact GXP decision (critical
process parameters) to be reviewed by batch (e.g. change in method, change in
set temperature, change in flowrate, reprocessing…etc.)
2. Set a procedure for reviewing batch audit trail in the system SOP as a
part of normal operational data review which should include:
2.1. The method of extraction of the audit trail record (usually by
determining the time boundaries between which the lot is tested or
manufactured).
2.2. The available evidence to batch audit trail review to support decision
making.
System owner and 3. Determine in the data integrity program (attachment 1) system audit
process owner trail program:
3.1. Activities that indicate intentional on unintentional abuse of the system
and may impact GXP records, for example:
o Unauthorized access.
o Uncontrolled change of system configuration.
o Uncontrolled deletion of data.
o Reprocessing of data,
o Audit trail disabling.
o Any disabled accounts for successive failed login.
o Ensuring that backups are per the defined program
3.2. Frequency of system audit trail based on risk assessment with a
maximum interval of 12 months (the attachment 1 provides a risk
assessment-based matrix for determining the review frequency).

3. Reviewing and approving:

RESPONSIBILITY ACTIVITY
FAH 1.Review:
a. The access matrix and the list of authorized personnel to ensure that all
activities required by the system are covered properly.
b. The backup program to ensure that all GXP records associated to the
system are included in the backup management plan.
c. The audit trail review program to ensure that all critical parameters
and activities are included in the program.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

RESPONSIBILITY ACTIVITY
IT Manager 2. Review the backup program to ensure that all associated records and
infrastructure are to be stored or located in secured location.

QA Manager 3. Approve the access matrix, list of authorized personnel, backup

program and audit trail review program.
4. Implementation, maintaining and change management of the system:
RESPONSIBILITY ACTIVITY
System owner 1.Maintain the data integrity program and review every 12 months (± 1
month) and issue a new version of these records.
2.To apply change to data integrity program apply change control through
change control SOP.
3.To apply change to the list of authorized personnel, apply change control
SOP, keep a copy of the change control documents and then update the list in
its periodic review (every 12 months).
Administrator 4.Create unique ID and password for each personnel in the list which will be
considered as his electronic signature.
5.Conduct and maintain the backup process according what is stated in the
plan.
6.Conduct backup verification every year.
Process owner 7. Update SOP to include the batch audit trail review procedure (as a part
of normal operational data review) & the system audit trail review procedure
(as a part of periodic performance and effectiveness evaluation), mentioning
the method of extraction of the audit trail record (usually by determining the
time boundaries between which the lot is tested or manufactured).
8. Update the SOP immediately according to any corresponding update
in these records by the system owner (revise step 2).
9. Conduct batch audit trail as per procedure and manage violations
through deviation system (Deviation SOP)
QA specialist 10. Design a plan for system audit trail review (if any)
11. Conduct system audit trail review as planned and manage violations
through deviation system (Deviation SOP).

5. Archival:
RESPONSIBILITY ACTIVITY
Process owner 1. If applicable, standardize method for naming and specify location for
saving the records the system generated and document it in the operation
procedure (system SOP).
Note: Some systems have unmodified (fixed) standardization method for
saving location and naming which shall not require standardization by the
Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx
Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

RESPONSIBILITY ACTIVITY
user.
System owner 2. If required (e.g. due to limited space on the storage drive) or if
preferred (e.g. for sorting and ease of access to records), use Archiving
Request Form (attachment no.3) to request archiving of generated records
defining the archived period.
FAH 3. Review and approve or disapprove the request based on acceptable
rationale.
Administrator 4.Conduct the archiving as requested, indicating the location of archive in the
request form.
5. Retain the archive along the retention period of the records.
I. El-Nile pharmaceutical Co. Legacy Computerized System Governance:
RESPONSIBILITY ACTIVITY
FAH 1. Identify the legacy computerized systems in the FA or the department.
2. Assign a team to lead a project for addressing data integrity gaps and
risks in the legacy computerized system. The team shall at least be structured
as follow:
o FAH as project manager
o Project lead
o Process and system owners
o IT specialist
o QA manager for approval
Process owner and system 3. Create a master plan according to Master Document SOP which
owner should include the following:
o Purpose of the project
o Scope of the project
o Team structure
o Approval sheet
o Project phases
o Project deliverables
o Project timeline
o Project documentation
4. Take in consideration these milestones when determining project
phases:
a.Gap analysis or system assessment: using Gap analysis tool (attachment 4)
to identify the gaps in the system by answering with commenting on 48
questions covering the following topics about the system:
o Access control and security
o Data ownership

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

RESPONSIBILITY ACTIVITY
o Records management
o Record creation
o Repeat testing
o Record review
o Audit trail
o Validation
o Change control management
o System clock
o Record retention
o Back up and retrieval
o Records archival
o Data migration
b. Risk evaluation: risk is evaluated (high, medium or low) based on its
impact on data integrity. The following table gives examples for illustration
only and it is not exhaustive. The true risk associating a specific gap should
be determined by the project team carefully and case by case based on their
full understanding of the system.

Risk is When it impacts Example

High Data falsification Date and time are not
secured.
No access authorization
Medium Probability of loss No backup capability
of data No audit trail
Low Printed report is not Incomplete metadata
complete

c. Prioritization of actions: actions suggested should be prioritized based

on the risk evaluation e.g. actions should be taken immediately to
remediate or reduce the high risk.
d. Dealing with long term remediation actions:
When remediation actions take long time to be implemented (e.g. system
replacement), risk reducing short term control actions should be taken to
provide acceptable level of data governance till remediation actions can be
implemented (e.g. procedural control should be in place to reduce the risk
of audit trail unavailability).
5. After action plan are implemented, follow the procedure in II. 2
Deployment.
Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx
Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

RESPONSIBILITY ACTIVITY

9. Distribution List:

9.1. Top Management.

9.2. QA Department
9.3. QC Department
9.4. Regulatory (Local & Export) department
9.5. R&D department
9.6. Production Department.
9.7. Engineering Department
9.8. Supply-Chain Department
9.9. IT Department
9.10. Commercial & Export Department
9.11. HR Department
9.12. Pharmacovigilance Department

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo
Standard Operating Procedure QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page 15 of 41

ATTACHMENT (xxxxxx)

COMPUTERIZED SYSTEM DATA INTEGRITY PROGRAM

I. SYSTEM IDENTIFICATION:
Version number <System Code-DI.two-digit-version (e.g. QA007-DI-02)>

System Name <as in URS>

System Code

System Location

II. APPROVAL SHEET:

Role Position Name Signature Date

System
Owner

Process
Issued by Owner

IT specialist

Functional
Area Head
Reviewed
by Information
Technology
Manager

Quality
Approved
Assurance
by
Manager

Copy No. Stamp Document Stamp

QA001/F01
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

III. SYSTEM OVERVIEW:

System Category * ☐ A1: simple analytical systems without measurements.
☐ A2: simple analytical systems with measurements.
☐ A3: standalone complex analytical systems
☐ A4: networked complex analytical systems
☐ M1: manufacturing systems that indirectly contact the product
☐ M2: manufacturing systems that directly contact the product
☐ IT1: GXP IT system

System DI main ☐ Date and time security

capabilities ☐ GXP printout
☐ Access authorization
☐ Audit trail
☐ Electronic backup
☐ Electronic Archival
☐ Other
(Specify: ………………………………………….)
* Categories A0, M0 and IT0 were excluded from this list as they have no data integrity requirements.
IV. ACCESS MATRIX: <if not applicable, remove the table and write NA>

Access levels

Access rights

Prerequisite Training
V. ELECTRONIC BACKUP PROGRAM: <if not applicable, remove the table and write NA>
Data to be backed up 1.
2.
3.
Backup frequency

Backup type (automatic or manual)

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

Backup procedure

Backup location

VI. AUDIT TRAIL REVIEW PROGRAM: <if not applicable, remove the table and write NA>
Batch audit trail review System audit trail review
(Critical process parameters) (System functionality)

VII. SYSTEM AUDIT TRAIL FREQUENCY CALCULATION: <if not applicable, remove the table and write
NA>

Score
Question Answer
(Yes = 2, No = 1)

Can any recorded data be changed?

Can any change be made without detection?
Can data creation or data change be made with
personnel with conflict of interest?
Are there routine changes to data?

Risk score (individual scores multiplied together)

Frequency by month (12 divided by risk score)

ATTACHMENT (xxxxxxx)

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

List of Authorized Personnel

System Name

System Code

System Location

System Owner

System Owner FA

Process Owner

Data Owner

Authorization List:
Employee ID Name FA Username Access Level

Approvals:

System owner : ………………….………………..

System Administrator : ………………….………………..

FAH : ………………….………………..

QA Manager Signature : ………………….………………..

ATTACHMENT (xxxxxxx)
Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx
Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

Archiving Request

System Name

System Code

Records to be archived

Archiving from (dd/mm/yyyy)

Archiving to (dd/mm/yyyy)

Reason for archiving

Archiving location

Data Owner

Requested by

Approved by FAH

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo
Standard Operating Procedure QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page 20 of 41

ATTACHMENT (xxxxxxx)
DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Access 1 Is access to use the system Consider operator, technician, engineer, Yes
& Security software application(s) recipe inputs editing, and security admin
controlled through unique type access for the system software
user ID's and passwords? applications but do not consider any
higher-level administration type functions
such as accessing the operating system
and database which are covered later
questions. Apply question to other
software applications that compose the
system.
Some systems will not require a user to
login to routinely use the equipment but
will require a user to login or authenticate
when changing GXP settings, this is likely
to be acceptable with an appropriate
rationale.

Access 2 Is access to use the system Record if there are any shared logins used No
& Security software application(s) and the nature of those logins. Consider if
controlled through generic the shared user password is it unique for
or shared user ID's and the system, or shared across multiple
passwords? systems.

Copy No. Stamp Document Stamp

QA001/F01
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Access 3 Is access to the system Record the automatic logout or automatic Yes
& Security software application(s) lock duration. Consider if the logout time
configured for automatic is appropriate to the process. Typically,
logout or lock after a period this would be 20 minutes or less, If the
of user inactivity? system does not log off users for inactivity,
or if the log off period is more than 20
minutes due to business necessity, record
the data integrity gap or rationale for the
extended log off timeframe.

Access 4 If the system can be directly Consider if the system can be accessed Yes
& Security accessed remotely by EL- remotely, for example for support purposes
NILE PHARMACEUTICAL via the network from the office or at home.
CO. Staff, is this access Record how the system is remotely
appropriately controlled? accessed, such as via remote desktop
across the Special Function Network. A
procedure should be in place to control
remote access. Record the procedure in
the comment column. Consider if remote
access is secure and restricted to the
appropriate individuals.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Access 5 If the system can be directly Remote vendor access must always Yes
& Security accessed remotely by remain disabled so uncontrolled remote
vendors, is this access vendor access is not possible. Remote
appropriately controlled? vendor access may be allowed for a
List procedure in Comments specified time period to address a specific
column. issue and access must be granted through
the appropriate system access procedure
or any remote vendor sessions directly
supervised and monitored by EL-NILE
PHARMACEUTICAL CO. Staff throughout
the full access period. Record if there is
remote access capability using modem or
network. Record how remote vendor
access is provided, e.g., LiveMeeting using
VNC.
Access 6 Is there a documented Answer for routine use only, not system Yes
& Security process that ensures that administration accounts. The procedure
only appropriately trained should cover levels of access, user access
and approved users are requests and approvals, user removal
granted access to the (movers, leavers and long-term sick),
system software training requirements, periodic access
application(s) , and that reviews and any access control
access is removed when no requirements such as password
longer needed. List complexity.
procedure in Comments
column.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Access 7 Do users have access only Consider if the available levels of access Yes
& Security to system software are appropriate to prevent conflicts of
application functionality that interest and that the access for each level
is appropriate and is documented. Confirmation may require
necessary for their job role? checking the system to verify that users
have the appropriate access levels
granted.
Access 8 If there are any enabled Vendor access should be controlled as Yes
& Security vendor user accounts on the with any other users. Record if the vendor
system, do they only have accounts are individual or generic. If the
access to the system vendor is an embedded member of staff
software application or then it would be appropriate for them to
system administration have access providing, they are trained in
functionality that is all the relevant procedures as EL-NILE
appropriate and necessary PHARMACEUTICAL CO. Staff would be.
for their job role? Typically, any vendor accounts used for
system deployment activities should be
removed or disabled at end of validation
activities. Record if there are any
procedures in place for the control of
vendor accounts.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Access 9 Does anyone with a Consider for example if the routine user No
& Security potential conflict of interest can edit security settings. Consider if you
have system access to know what levels of access each role has
modify or delete GXP and whether there is a conflict of interest.
records; or modify For example, could a supervisor change
configuration, recipes, data created by an operator in order for it
critical process parameters, to be changed to a pass rather than fail. If
machine settings, critical the reviewer of the data works for a
alarms, validated different area of the organization, e.g.
parameters or methods? quality then they would not deemed to
have a conflict of interest. Consider if
system functionality for recording GXP
critical alarm and events enabled and
protected from being disabled by anyone
with a conflict of interest.

Access 10 Are access rights for each This may be found in an approved lifecycle Yes
& Security access level utilized within document the FDS, RTM, IQ/OQ. Also
the system software record if it is available in an unapproved
applications documented in document, for example in the user manual.
an approved document? List
document in Comments
column.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Access 11 If system administration Answer this question for true system Yes
& Security accounts exist on the administrator accounts only, for example
system, is access restricted operating system or database accounts
to the minimum number of that have access to potentially modify
users necessary? data, disable audit trails, reconfigure the
application etc.
The number of administrators should be
minimized and users should have an
appropriate level of knowledge or
competency to be given access.
Access 12 Does the system provide a You should be able to show who currently Yes
& Security viewable record of current has access to a system and the access
system users and granted levels granted. Consider if the system
access levels or is a maintains viewable record of access levels
procedure in place that currently granted to individuals either on a
provides this information? If screen or on a printed report. Or, is a
procedurally controlled, list procedure in place that requires a
procedure in Comments documented record of access levels for all
column. individuals currently granted access to the
system?

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Access 13 Does the system maintain a You should be able to show who Yes
& Security viewable record of historical historically had access to a system and the
system users and granted access levels granted. Consider if an audit
access levels or is a trail exists on the system or if functionality
procedure in place that on the system exists to generate this data.
provides this information? If It is likely that a date range or specific date
procedurally controlled, list will be given. Consider if procedure
procedure in Comments related forms for access requests can be
column. used to build the required list.

Access 14 If used, are System Consider accounts such as operating Yes

& Security Accounts controlled and system, database and services that are
access to passwords limited used by the application. Consider who is
to appropriate support given access to these types of accounts. It
groups with no conflict of is not appropriate for El-Nile Co. with a
interest? If procedurally conflict of interest to have privileged
controlled, list procedure in passwords. If the accounts are EL-NILE
Comments column. PHARMACEUTICAL CO. Active Directory
privileged functional accounts they should
be controlled using PAMS.
Is there an assigned
owner(s) documented as This is in relation to primary record
being responsible for the electronic data. There may be more than
Data GXP records generated one data owner for different types of data
15 Yes
Ownership and/or maintained by the or where data is transferred to another
system? List document system. Consider if a documented system
reference in Comments owner is also the data owner.
column.
Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx
Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Primary 16 If the same information is The designated GXP primary record that Yes
Record recorded in more than one takes precedence in the event of conflict
record, is the GXP primary between content of two or more records
record designated in an representing the same data or the
approved document? List record(s) GXP decisions are to be based.
document in Comments If there is only one source of data then it is
column. not necessary to specify that it is the
primary record.
Primary 17 Does the data used to make Often GXP records are created manually Yes
Record a GXP decision come from on paper where there is an electronic
most appropriate source in record that contains more relevant details
terms of being the most or of more suitable quality to inform the
complete and accurate GXP GXP decision than that contained on the
record? paper report. Consider if there is more
data in the system than currently on the
designated primary record which should be
included.

Paper 18 If printed reports are Yes

Records exclusively utilized as the Consider if the report includes who
GXP record, does the report generated the record, time/date, version of
include or provide reference report.
to all relevant information
(e.g. raw data, meta data,
audit trial information, critical
machine settings, recipe
settings)?
Paper 19 If both printed records and Consider for example appropriate Yes

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Records electronic records are used metadata such as batch number, product
for GXP purposes, does the number, time & dates, process order
printed record include number and test number.
information that uniquely
links it to its respective
electronic record?
Paper 20 If a printed report or pdf Consider that a system may be validated, Yes
Records report from the system is but when it was installed, there was no
being used to make a GXP intention to use the system reports (data
decision is there formal report but also alarm reports or audit trail
documented evidence (e.g. reports) so they were not included in the
validation testing) that scope of the validation. Consider if the
demonstrates the contents accuracy of the data, for example rounding
of the report accurately has been verified against the electronic
represent the source data.
electronic data? Record
reference to any supporting
documentation.
Record 21 Is GXP data recorded and Consider where data is recorded over Yes
Creation saved at the time it is multiple steps in a process that the
created so that it is a unique individual data points are recorded, rather
single transaction? than save at the end of multiple
transactions. Each transaction should be
recorded contemporaneously. Particularly
relevant for manual confirmations or data
entry. Consider what the timestamp
records for these processes.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Record 22 Does the system facilitate Consider if recording of data from a screen Yes
Creation accessibility of GXP can be done at the screen directly into the
records, or means to record GXP document and rather than use
data, at locations where manual transcription from one record to
activities that require another. Consider the use of radios /
recording take place so that telephones during calibration or cleaning
ad hoc data recording and activates. Where transcription is used the
later transcription to official original record should also be maintained
GXP records is not for traceability purposes.
necessary?
Record 23 Does the system save Consider if a user can view data and make Yes
Creation system generated GXP data a decision not to save it. For example,
automatically through a manual IPC's where an operator can view
validated process rather that the result and know if a pass/fail has
relying on a user to occurred before saving or recording the
manually save the data? data.
Record 24 Does the system store all It is important that any metadata is stored Yes
Creation necessary metadata to give to give the GXP record context. Consider
stored GXP records context user ID, batch name, process order
and meaning? number, material code, units, date, time,
limits, recipe, etc.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Repeat 25 Is it possible to Based on system functionality and ways of No

Testing inappropriately repeat a test working determine if the tester has the
or action with the intent to capability to conduct multiple tests or
achieve desired outcome or repeated tests, then not report all test
change GXP data to results. Consider challenging the system
achieve passing results? with repeat batch/test IDs (possibly
containing leading/trailing spaces).
Consider powering off system after results
are viewable to see if a result is retained.
In a manufacturing scenario also consider
that re-processing to produce data may be
inappropriate e.g. blending for a second
time and only reporting data for the second
blend. Even when a user does not have
access to delete a failed test result, the
system may not assure all test results are
submitted to assure the record of the test
is complete and accurate.
The assessment team needs to review
system functionality and ways of working
to determine if the tester has the capability
to conduct multiple tests or repeated tests,
then not report all test results.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Repeat 26 If inappropriate retesting is If retesting is possible then it is important Yes

Testing possible, are there controls that it is detected either within the system
in place that would ensure itself or through manual intervention.
this is detected? Consider for example if testing should be
witnessing for critical IPC's or processes
that can be duplicated.

Record 27 Is there a procedure Consider if the review of the GXP record is Yes
Review describing the process for documented. The procedure must include
the review and approval of any technical requirements for the review
GXP records generated by along with the specific review
the system including review requirements.
of raw data, metadata and
any modification to GXP
records? If procedurally
controlled, list procedure in
Comments column.
Record 28 Does the system provide Staff performing data review need to be Yes
Review access to all GXP raw data able to access complete raw data,
(or true copy) for staff including metadata. Some GXP decisions
performing data checking may be made on a summary of the raw
activities? data but all relevant raw data must be
available to the reviewer.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Audit 29 If GXP records can be For the purposed of this survey, recipes Yes
Trail created, is the data are to be viewed and GXP records. All
attributable to the individual GXP records created should be
who performed the action to attributable to the user creating the record.
create the record? Often this is recorded in an audit trail.

Audit 30 If GXP electronic records The detail in the audit trail should include Yes
Trail are modifiable in the key information such as who made the
system, does an electronic change, time & date that the change was
audit trail document who made, the reason for the change (unless
made the change, when obvious), and the original value. Review of
change was made, reason the audit trail is covered in a later question.
for change (unless obvious), The audit trail does not need to contain
while preserving what the every key stroke or button press for
previous data was? If example.
procedurally controlled,
describe and list procedure
in Comments column.
Audit 31 Are audit trails associated Consider who could edit the audit trail Yes
Trail with GXP records enabled without detection and whether there is any
such that they cannot be conflicts of interest. For example; it is not
disabled by users with a acceptable for a technician to be able to
conflict of interest and are edit an audit trail via the operating system.
locked from
editing/modification/deletion
by users with a conflict of
interest?

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Audit 32 For systems that have audit Current regulatory guidance has increased Yes
Trail trail capability, is there a the requirements for audit trail review
routine and/or periodic audit (routine and periodic review). You may
trail review performed per have already completed an audit trail
site procedure? review assessment against legacy
guidance (pre-2015 MHRA guidance).
Answer "No" if your audit trail review does
not meet current regulatory guidance.

The DI team will deliver further information

on how to undertake an Audit Trail Review
Assessment against current regulatory
requirements.

Audit 33 If audit trail review is This may be covered as part of the Yes
Trail required, are Data procedures governing normal business
Reviewers trained in the processes (e.g., batch documentation
procedure(s) for reviewing review procedure, laboratory testing
audit trails? If procedurally procedures).
controlled, list procedure in
Comments column.
Audit 34 Is there a documented This may be incorporated into existing Yes
Trail process that incorporates procedures (e.g., periodic review, L2
review of a sample of audit).
relevant system audit trails
by the quality unit? List
procedure in Comments
column.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Validation 35 Are the system software Consider if anyone with conflict of interest Yes
application(s) configurations is able to modify configuration or system
and critical system settings settings outside of allowable ranges and
defined and tested to ensure that this has been demonstrated through
they are locked from validation.
alteration by users with a
conflict of interest as part of
validation?
Validation 36 If GXP data is saved or Consider if data is also transferred to an Yes
transferred to an external external system such as a data historian,
system, has the save or data warehouse and whether the transfer
transfer process been process has been validated. Do not
validated. consider if the external system itself has
been validated for its intended use, since if
it is GXP it should be subject to its own
assessment.

Change 37 Are changes to system The change control procedure must Yes
Control code, configuration, recipes, require system changes be made under
critical machine settings, change control. The change control must
validated parameters and be approved by QA to assure proper
methods only allowed verification, testing and documentation;
through a quality approved and should include steps to ensure that
change control or any impact to any GXP records is
procedure? List change considered.
control method or procedure If there is the need to be able to adjust a
in Comments column. system within predefined validated limits, a
change control is not required if the

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

adjustment is controlled and verified

according to a QA approved procedure.
Several change control methods may
exist, for example ECC, recipe change
procedure, operating procedures,
administration procedure.
System 38 Are system clocks (time & Consider if a clock can be changed by a No
Clocks date) which are utilized to routine user to repeat or falsify GXP
time stamp GXP records records. Consider if there is the ability to
modifiable by anyone with a change time / date within the software
conflict of interest? application and if it is appropriately
secured. Consider operating system time
that may be used to time / stamp data.

System 39 Are system clocks (time & Record if the system is capable of being Yes
Clocks date) utilized to time stamp synchronized with an NTP time source if it
GXP records maintained isn't currently configured to do so. System
accurate either via clocks must be synchronized to an
automatic synchronization approved standard to assure accuracy and
or via procedural control? If alignment of time sensitive events. A local
procedurally controlled, list procedure must define the site process for
procedure in Comments the following:
column. Ensure controls (e.g., procedure) are be in
place to periodically check and where
appropriate adjust the clock to coincide
with an identified standard.

Record 40 Are there at least 2 years of Record how long GXP records are is Yes
Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx
Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

Retention GXP historical records retained on the system and readily

stored with any associated retrievable.
raw data/metadata/audit
trails, required for the record
to maintain its meaning,
readily retrievable in a timely
manner for the purposes of
inspection support?
Record 41 Are there procedures which Consider if any historical GXP data is ever Yes
Retention cover GXP record retention removed from the system either
periods for the system automatically or manually or if it is over
and/or is the current system written after x time.
configuration compliant with
data retention policy? If
procedurally controlled, list
procedure in Comments
column. Record data
retention period.
Backup 42 Are GXP records backed-up Record if and how data is backed up. Yes
automatically or
procedurally to minimize the
risk of data loss? If
procedurally controlled, list
procedure in Comments
column.
Backup 43 If GXP records are backed Consider who has access to alter or delete Yes
up, are the back-ups the backed-up data and any conflicts of
secured so they cannot be interest.

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

modified or deleted by
anyone with a conflict of
interest.
Backup 44 Is there a validated backup Disaster recovery typically consist of Yes
and recovery process for multiple steps. For example; restore the
system GXP records, operating system and software application,
metadata, settings and restore settings/ configuration and restore
configuration for disaster the system database containing historical
recovery purposes? data.
Archival 45 If archival is in place, is it Consider for global supply products the Yes
possible to recover and read retention period is typically batch expiry
archived GXP records and plus 1 year but for NPI / clinical trails the
metadata throughout the retention period can be 30 years. Consider
retention period? if the format of the data can only be read
by the specific system so if the system is
decommissioned how will the data be
recoverable and readable.

Archival 46 If archival is in place, are Record how the data is achieved by the Yes
there validated automated system. Record if there is a procedure for
processes or procedures recovering the archived data. Record if any
which cover the GXP data printed reports are archived. Consider if
archive? If procedurally any automated archival and retrieval of the
controlled, list procedure in data has been validated.
Comments column.
Archival 47 If GXP records are archived, Consider who has access to alter or delete Yes
are the archived records the archived data and any conflicts of
secured so they cannot be interest.
Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx
Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
 Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

DI Category Question Assessment Question Response Guidance Expected Site Response Gap Proposed
Response Response Comments Score actions (if
applicable)

modified or deleted by
anyone with a conflict of
interest?
Archival 48 If system GXP records are Record if records are stored by a 3rd party. Yes
stored at a 3rd party is the Consider both archiving of paper records
ownership and retrieval and physical media (e.g. tapes) that may
process clearly defined and be stored by a third party.
documented? The responsibilities of any 3rd party
archive contract giver and acceptor must
be defined in a contract (e.g. TTS or
Quality Agreement).

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

ATTACHMENT (xxxx)

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

ATTACHMENT (xxxxx)

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature:
Company Logo Standard Operating Procedure
Computerized System Data Integrity
QA Dept.

Issue No : Issue Date: Effective Date:

Code No: Valid To: Page

Prepared by: xxxxxxxx Reviewed by: xxxxxxxx Approved by: xxxxxxxx

Title: Compliance & Validation Section Head Title: Documentation Section Head Title: Quality Assurance Manager
Signature: Signature: Signature: