Data Base Transfers & Validation for Part 11 & Annex 11 Compliance
We recently received these questions: “Are data base transfers part of software validation? If yes, how can we validate the transfer?”
The transfer of data from one database to another is an important thing to get right. I don’t usually call it software validation, because this isn’t usually part of the built-in functions of a software system. If it was part of the built-in functions, we wouldn’t be talking about having to transfer the data! Electronic databases are used by computerized systems and they often contain electronic records that are used to replace paper records. This means they fall under Part 11 and Annex 11.
This would justify validation/qualification efforts if the records contain information of GMP relevance. Transferring data falls under a change control. Change control must demonstrate to regulatory bodies that systems remain under control during any change. We know that change control is a favorite target of auditors because they are a good example of your organization’s ability to control its systems.
Basically, in a transfer of data from one location to another we need to be prepared to prove that the data was transferred completely, without omissions or errors. We can do this by verifying the data set (perhaps validating the verification tool), or by validating the data transfer process (And that is software validation, but usually using existing tools) .There are a few ways you could go about this, but first we need to get very clear on validation vs. verification.
To do this, we refer to the FDA’s “Quality System Regulation CFR Title 21 Part 820, which states:
820.3(z) Validation means establishing by objective evidence that the particular requirements for a specific intended use can be consistently fulfilled.
820.3(aa) Verification means confirmation by examination and provision of objective evidence that specified requirements have been fulfilled.
Now, we offer two common verification strategies for data base transfers:
- Transfer your data and do a 100% verification. This actually doesn’t validate anything, but it does verify your transfer was successful without corruption. If you are using a standard tool, such as “Copy and Paste,” within a standard well-tested application such as a Microsoft Operating System, then you can probably get away with just verifying the number of files, and the size of the files, to show that nothing has changed. Again, this isn’t really validation, because you are “confirming by examination” a.k.a.: verification. We recommend the use of an application for comparison that will look at the two data sets – original and transferred – to verify that they are identical.
- Now if we want to validate the process, we would generally do this by validating our verification tools. That’s the part that requires validation – the tool. We would choose our data transfer tool, then transfer a fake data set (this could be a copy of our GMP data). Then we make some specific types of changes to our data set – omissions, duplications, wrong data, missing entries, extra entries, etc. Then we run our verification tool and verify that the verification tool is identifying all the changes.
If we do this in the documented environment of a validation protocol, with acceptance criteria, and repeat it enough times, this should stand as a validation of the verification tool. It will be dependent on our ability to be creative (rely on your IT experts here) on exactly what kinds of data errors we should be testing for.
Now, the disclaimer – we recommend the use of validated verification tools.
We hope this gives you some idea of how to approach the problem, but we strongly suggest you talk to your nearest IT professional about validating verification tools, and verifying transfers of data.
Please post comments below – OR contact us with any questions you have!