On March 31st, we celebrate World Backup Day. It’s a perfect opportunity to remind you about one of the key issues in data security, particularly in the pharmaceutical industry. With the ongoing digital transformation that enables more effective management of documentation and processes, data protection becomes a crucial element in ensuring regulatory compliance and business continuity.
Why does your company need backups?
Compliance with regulatory requirements, ensuring business continuity, minimising risks, and protecting data from loss are fundamental to the operation of any organisation subject to the requirements of regulators such as manufacturers, importers or MAHs (Marketing Authorisation Holders).
Data backup requirements are defined in regulations such as Annex 11 to GMP, which governs data’s physical and electronic protection against destruction. Additionally, data should be checked for accessibility, readability, and accuracy, and access should be properly monitored. GMP requirements also mandate regular backups and data recovery tests [1].
Similar provisions can be found in Good Pharmacovigilance Practice (GVP), which states that documents may be stored in electronic format, provided that the electronic system has been properly approved and adequate arrangements are made for system security, access, and data backup [2].
Furthermore, the ICH Q7 guidelines for the Good Manufacturing Practice for Active Pharmaceutical Ingredients emphasise the need for backup procedures for systems where failure could lead to permanent data loss [3].
The Good Distribution Practice (GDP) requirements also outline the necessity of performing regular backups, checking the availability of stored data, and maintaining backup copies for a minimum of 5 years in a separate secure location [4].
Who in your company is responsible for performing backups?
In pharmaceutical systems, the responsibility for performing data backups is not clearly assigned to one individual or department but depends on the system’s characteristics and the organisation’s structure.
Due to the growing popularity and security of solutions for computerised systems, the cloud system model is becoming increasingly widespread. As a result, issues related to third-party service providers are becoming extremely important. For systems with servers and infrastructure managed by external providers, the responsibility for performing backups primarily lies with the service provider. In the case of SaaS (Software as a Service) systems, the provider’s qualification becomes a key issue. According to Annex 11 GMP requirements, the organisation must conduct a supplier evaluation process. Furthermore, the agreement with the service provider (SLA) should specify the scope of responsibility, including backup creation and data recovery procedures, in case of failure. The agreement should also outline the frequency of backups, the location of backup storage, and the security of stored data [1].
Meanwhile, the Quality Assurance Department plays a key role in verifying that backup processes (internally and through the system provider) are carried out in accordance with organisational and regulatory requirements.
When should your company perform backups?
Data archiving and recovery tests should be an integral part of validating computerised systems [1]. During the system lifecycle, the frequency of backups and the processes for testing their integrity and recovery must be carefully planned, taking into account:
- System criticality
- Type and value of the data
- Risk analysis
If the system stores critical data, such as product quality data, production documentation, clinical trial results, and data from monitoring adverse events, backups should be performed more frequently. In such cases, this could mean daily or even multiple backups per day.
Where should backup copies be archived?
One fundamental element of protecting data from loss due to hardware failure or physical damage from fire or flooding at the company’s main headquarters is to store backups in a separate location, such as on external servers (including cloud-based solutions) or hard drives stored offsite [4, 5]. This form of data archiving minimises the risk of loss.
How do you plan backups, data recovery and storage?
According to the PIC/S guidance “Good Practices for data management and integrity in regulated GMP/GDP environments”, stored data should be backed up along with metadata and an audit trail and have the same security level as the original data [5]. Data should be stored in a format that allows reading, which may require maintaining appropriate software during the required data retention period [1, 5].
In order to implement a backup and restore test plan in your organisation, you need to:
To ensure business continuity, the organisation should establish two key values:
- Recovery Time Objective (RTO) – the maximum time within which a system must be restored to full functionality after a failure.
- Recovery Point Objective (RPO) – defines the maximum time that data can be lost in the event of a failure.
In conclusion, effective backup management and the data recovery process are essential to ensure data security and regulatory compliance. An important aspect is also determining the appropriate backup procedures and frequencies based on system and data criticality. Regular testing of data recovery procedures and storing backup copies in secure, separated locations are other key aspects of effective backup planning. All these actions combine into a comprehensive process that minimises the risk of data loss, ensures operational continuity, and meets regulatory standards.
The backup and recovery process is one of the key processes for ensuring data security and meeting regulatory requirements for services that SciencePharma has in place.
References:
- Good Manufacturing Practice (GMP) Annex 11: Computerised Systems https://health.ec.europa.eu/document/download/8d305550-dd22-4dad-8463-2ddb4a1345f1_en?filename=annex11_01-2011_en.pdf
- Guideline on good pharmacovigilance practices (GVP) https://www.ema.europa.eu/en/documents/scientific-guideline/guideline-good-pharmacovigilance-practices-module-i-pharmacovigilance-systems-and-their-quality-systems_en.pdf
- ICH Q7 – Good Manufacturing Practice for Active Pharmaceutical Ingredients https://www.ema.europa.eu/en/documents/scientific-guideline/ich-q-7-good-manufacturing-practice-active-pharmaceutical-ingredients-step-5_en.pdf
- Wymagania Dobrej Praktyki Dystrybucyjnej (GDP) https://sip.lex.pl/akty-prawne/dzu-dziennik-ustaw/wymagania-dobrej-praktyki-dystrybucyjnej-18176644
- PIC/S Guidance – Good practices for Data Management and integrity in regulated GMP/GDP environments https://picscheme.org/docview/4234