Data Integrity - Do Data Flow Diagrams have to be available?

"If you can't explain it simply, you don't understand it well enough." Even if this quote is not originally from Albert Einstein, it applies absolutely by elaborating qualification, validation, and data integrity strategies. Today's systems are very often complex and interconnected. Nevertheless, this complexity must not be used as an excuse to justify fuzzy and unclear qualification strategies. This situation was already identified by the European regulators in 1992. It led to the requirement that every computerised system should have an up-to-date system description - EU GMP Guide Annex 11 (1992) Item 4.

As of September 2002, PIC/S PI 011 [PI011] spelled out this requirement in more detail. Data flows were explicitly mentioned as part of any system description [PI11:24.T1.11]. The revised Annex 11 [A11 2011:4.3] also requires data flows, even if this requirement is only mandatory for "critical systems".

EU GMP Guide Annex 11 (2011) Item 4.3 "An up to date listing of all relevant systems and their GMP functionality (inventory)
should be available. For critical systems an up to date system description detailing the physical and logical arrangements, data flows and interfaces with other systems or processes, any hardware and software pre-requisites, and security measures should be available."

Data flows should be created at first for Good Engineering Practice reasons, since such graphical representations are as important for a computerised system as the hardware and software architecture. Additionally, these available data flows enable the fulfilling of regulatory compliance requirements. Clear and accurate data flows are an important communication tool for numerous activities, including

  • Risk management
  • Design review
  • Data integrity review
  • Planning of disaster recovery und business continuity measures
  • Training of users and system administrators
  • Inspections and audits.

In the context of data integrity, data flows are essential. Based on such data flows, the following aspects and the required controls can be assessed in detail, for example:

  • Manual data entry
  • Interfaces between systems
  • Interfaces between system components
  • Media change - Data Flow disruptions
    - Printout of electronic data on paper 
    - Re-entry of printed data into the system 
  • Data conversion, including: 
    - Data normalisation
    - Data linearization 
  • Data migration
  • Data archiving

Both WHO as well as PIC/S have emphasised the importance and benefits of data flows in their guidance on data integrity - see [TRS996A5:A1] [PI041:5.5.3]. A systematic creation of data flows should be aimed: not only for critical systems but for all systems. This ensures a common understanding of the new systems, the data created, and the technical controls required, as well as establishing a consistent approach well established based on Good Engineering Practice. With simple systems, the creation of the relevant data flows does not cause any particular difficulty. Nevertheless, a clear presentation of the data flows is always valuable.

For complex systems, these data flows are indispensable. They should be drafted at an early stage of the project in order to support efficiently and meaningful risk management and design review activities. The data flows must be kept up-to-date to reflect not only the system architecture but also the processes over the complete data life cycle.

Author: Yves Samson

References:

WHO Guidance on good data and record management practices
PIC/S Good Practices For Data Management And Integrity In Regulated GMP/GDP Environments Draft 3

Go back

x