TM

Quality Matters Technical Paper

A publication of the Society of Quality Assurance
Computer Validation Initiative Committee (CVIC)

Points to Consider: Backup and Restoration Processes

Amanda Ulrey, RQAP-GLP1, Carrie James, RQAP-GLP2

1
Institute for In Vitro Sciences, Inc., Gaithersburg, MD, 2 Charles River Laboratories, Ashland, OH

Quality Assurance (QA) auditors have a valuable skill set for addressing issues and solving problems
beyond a narrow interpretation of their responsibilities as defined in the regulations. QA auditors’ ability
to assess risk, perform gap analysis, and require rigorous documentation of procedures is beneficial across
many areas of the business. Since companies routinely use electronic data and electronic files as part of their
regulated work, QA auditors are consulting and participating as team members on projects to determine
appropriate back-up procedures for computerized systems and servers holding information related to or
associated with regulated research and manufacturing. This article provides the QA auditor with points to
consider during an evaluation of various backup and restore processes.

General Backup Information

A backup of a computer system is not the same as archival of electronic data. This is especially true in
regulated environments. In a Good Laboratory Practice (GLP) environment, archives maintain all raw data,
documentation, protocols, final reports, and specimens generated as a result of a non-clinical laboratory
study. Additionally, archives must allow for orderly storage and expedient retrieval of these materials while
minimizing deterioration. There must be an individual identified as having responsibility for the archives
and access to archived material must be limited to authorized personnel only. Exact, verified true copies
of archived materials are permissible. Although a well-planned backup system will have much in common
with a true electronic archive, this article is focused on outlining the backup and restoration of electronic
information in general. A backup is a point-in-time duplication or copy of data, metadata, and system
configuration settings maintained for the purpose of disaster recovery. Backup data may not fall under the
GLP definition of raw data, but it is necessary to retain copies of raw data to ensure continued, streamlined
functioning of the business.

A backup of a facility’s electronic data should retain information in an accessible way. Obviously, a backup
would not be successful if a trained individual were unable to quickly find, access, and restore all or part
of the information available from that backup. Retaining accessibility to information in a backup can be
particularly difficult when differences in media types and software constraints are taken into consideration.
Various types of media may be employed when retaining computer backups such as: separate servers,
external hard drives, magnetic tapes, magnetic disks, optical disks, flash memory, CDs and DVDs. Each
of these media types could be utilized, and each has its own issues and considerations when dealing with

Cite as: Ulrey, A., James, C. Points to Consider: Backup and Restoration Processes. Charlottesville, VA: Society of Quality Assurance; 2017. SQA
Technical Document 2017-5
Copyright 2017 Society of Quality Assurance. The information in this document may not be reprinted without approval of SQA.

Society of Quality Assurance 154 Hansen Road, Suite 201 C h a r l o t t e s v i l l e , VA , 2 2 9 11 USA

Te l : + 1 . 4 3 4 . 2 9 7 . 4 7 7 2 Fax: +1.434.977.1856 E-mail: sqa@sqa.org W e b s i t e : w w w. s q a . o r g
the security of the information and continued readability over time. Storage of backup information could
also remain separate from additional physical media if the information is placed within a hosted cloud
environment. Expedient retrieval and data security concerns would need to be addressed in this scenario.
Preserving backups in a geographically separate physical storage location from production origin or
retention, no matter the type of media used, is a sound practice since an important use of a backup system
is restoration of system and/or network information and functionality after a disaster (i.e. virus attack or
physical destruction). There are different degrees of backups that might be used alone or on a schedule
to assure that a facility does not lose critical information in the event of a disaster. Full system backups
create a copy of the entire system, including all data and software. These backups yield an extremely large
amount of data and, for this reason, might only be performed occasionally (once or twice per year). Full
data backups capture a copy of all of the data available on the system at the time that it is initiated. Full data
backups do not include capturing copies of the software and are typically performed on a more frequent
basis than full system backups (e.g., weekly). Because study data are collected on a daily basis, weekly full
data backups may still be insufficient as they do not mitigate the risk of the loss of several days’ worth of
data. Incremental data backups can be performed daily or more frequently (every 15 minutes, for example)
and include a copy of all changed or new data since the previous incremental backup. This allows for a
faster backup while utilizing less storage space. (Differential backups are a backup of data that changed
since the last full data backup). It is important to include data that are derived from standalone equipment
that are not automatically backed-up as part of the integrated network backup procedures. It is imperative to
incorporate a manual backup procedure at an adequate frequency. By employing a combination of different
degrees of backups into a schedule that works for each business model while considering the associated
risks, companies can minimize the risk of losing data while keeping processes cost effective.

NOTE: IT staff may refer to ‘RPO’ (Recovery Point Objective) and ‘RTO’ ( Recovery Time Objective).
RPO is defined as the maximum targeted period in which data might be lost due to a major incident. For
example, if backups are performed weekly, an RPO could be up to 7 days. That is, 7 days data could be lost
in the event of a disaster. An RPO of 15 minutes would require incremental backups to be performed every
15 minutes. RTO is defined as the targeted duration of time in which a business process must be restored
after a disaster in order to avoid unacceptable consequences associated with a break in business continuity.
In other words, the length of time that the business can sustain operations from the time that a system
disruption occurs and the time in which it is restored to a functional state. An RTO of 24 hours would mean
that the business can sustain operations for a period of one day while waiting for the system to be restored.
An RTO of 15 minutes would require a restoration process that must be completed within 15 minutes. A
short RTO typically results in greater redundancy built into the backup and restore process and subsequently
drives up cost. An auditor should review the RPO and RTO settings with the business and IT staff to ensure
that they are appropriately aligned and agreed to by both parties.

Another point to consider regarding scheduling backups is whether or not to perform a “hot” or “cold”
backup. Hot backups occur when the system being copied is still running. This type of backup is particularly
prevalent when a frequent incremental backup schedule is being utilized. System performance issues or
effects, such as slow downs, should be considered when scheduling hot backups. The treatment of files that
are open or in-use during the time of the backup also needs to be determined. Cold backups occur when the
system is off-line during the file copy process.

Backup Restoration
A process should be in place for the periodic restoration of backed-up data to verify backup integrity and
consistency. Consider the type of media used to store the backup. For example, where magnetic tape is used
for backup, consider write protection to prevent modification of the backup during restoration activities. The
data restoration process should be tested during validation and periodically verified to ensure the continued
integrity of data and physical media. The process should also include how data restoration is requested,
whether it be via electronic or paper, within the system or outside through an IT ticket.

2 Quality Matters - Te c h n i c a l Paper 2017-5 Volume 33, Number 4

Coordination of restoration activities between IT and any remote data centers should be outlined in the
restoration procedures. Verification of security and maintenance of data integrity throughout the process
are vital. The interval or timeframe in which testing is executed should minimize any potential impact to
live system functionality. It is common for restoration testing to occur outside of normal business hours.
Upon completion of the restoration, the status of the system should be verified to ensure the retrieved data
are acceptable. Additional data restorations may be needed until a successful backup point is determined.
The results of the testing should be documented and maintained. Any failures should be documented,
investigated, and remedial action taken.

Consider the software, proprietary or otherwise, used to create condensed back-up files. The same software
will also be required for restoration, quite possibly even the same version number. In this case, it is critical
to maintain licensing agreements with the vendor. Hardware should also be kept in mind. If magnetic tapes
are used to store back-ups, periodic exercising should be included as part of the back-up procedures to
protect against physical degradation and adherence of the tape to itself. The manufacturer of the back-up
media used, for example known CD manufacturers vs. a generic brand, should also be a consideration when
determining the necessity and frequency of back-up restoration testing.

Destruction of Outdated Back-ups

Structured rotation of media used in the creation of backups is commonplace where these types of solutions
are used. The frequency and rotation schedule for these external storage devices (e.g., tapes) should be
established, and there should be some consideration made for secure, documented destruction once the
media reaches the end of its reliable life.

Over time backup procedures can amass quite a bit of data, whether it is stored in external media or on a
server. Procedures should be developed for the secure disposal of backups that are no longer necessary.
Most services charge based on the total size of the information being held, and a planned destruction of
backups can aid in cost savings for the company. In addition, the company may need to consider the legal
implications of retaining older back-ups. Records in these backups likely fall under document retention
policies from both regulatory compliance and legal groups.

It is important to maintain security during the backup destruction process. There is less work involved
in maintaining data security when deleting files from a server than there is in destroying a tape or other
removable media used in backup processes. Both scenarios would require documentation of the successful
secure destruction process.

Backups may only be retained for a short period of time, for example 60 or 90 days, for the purpose of data
recovery whereas archived data is stored in a separate location for long-term retention as required by the
regulations.

Auditing a Backup Process

Although backed-up data are not necessarily a GLP compliant archive, QA auditors may be tasked with
the performance of processed-based audits on the system backup procedures to ensure adequate transfer,
storage, and restoration in accordance with their company’s standard operating procedures. One would
expect to see a variety of different scenarios depending on the structure of the backup system itself, although
there are several common elements that should be present no matter what type of backup system is in use.
There should be documented evidence of testing of the backup system. This could be kept as part of a
business continuity/disaster recovery plan, a network qualification document, its own validation plan, or as
something else altogether. It should demonstrate that all systems identified as falling under the back-up plan
are successfully and routinely backed up. There should also be evidence that files and programs from the
backup are able to be restored to the system. Evidence of the security of the backed-up files throughout their
lifecycle should also be present in this document.
Note: Annex 11 requires the backup and restoration process to be checked during system validation and
monitored periodically.
Quality Matters - Te c h n i c a l Paper 2017-5 Volume 33, Number 4 3
Consider what to expect if/when the planned backup fails. If the backup is automatic, does IT review the
results? Does IT inform the business and/or system owner the backup failed? A process should be in place
for the review of backup performance logs and should include what steps to take in the event of failure. Is
the execution repeated automatically by the software program performing the backup or does it wait until
the next scheduled backup? In the event of consecutive failures, steps should be in place for intervention
and repair, as needed. Ensure IT personnel document all remedial actions taken.

It should be clear who has access to the backup and who is responsible for monitoring the performance of
it. The person responsible for the backup is likely not an archivist but an IT professional. It is crucial this
person or group understand the type of information on the system they are supporting and the regulatory
requirements surrounding it. They should understand that periodic checks need to be made on the system
to show the backups are occurring as scheduled and are successful. Maintain documented evidence for
when these checks are conducted to show proper functionality. Are GLP documentation principles being
followed? If IT is responsible for the backups, they need to have sufficient training for the applicable
regulatory environment and in the appropriate documentation practices, so that compliant records are
maintained.

Auditors should investigate the process of bringing a new system into the regulated environment. IT (or
whomever is responsible for network backups) should be made aware of the commissioning to assure the
system is incorporated into the backup process. There is a high risk involved in releasing a new technology
into the production environment. It is conceivable that newly installed systems could crash shortly after
installation and during investigation it is discovered that all information captured between installation and
the crash was only being saved locally and was not included in the network backup procedures. A scenario
like this could be potentially devastating for a study. It is worth the effort to make sure all responsible parties
are made aware of new system commissioning. Oftentimes the IT department is responsible for the overall
network backup, but standalone systems may be the responsibility of management within the laboratory
utilizing the system. It is important that the process of adding new systems into the regulated environment
include some discussion of data capture and backup procedures and how they will be handled for standalone
systems (including who will be responsible). Incorporating backup and restoration in the system specific
validation process is ideal so that the process is identified early and incorporated into each system’s standard
operating procedure, regardless of whether a standalone, networked configuration, or cloud solution is used.
When performing general study audits, be mindful of where electronic data are being retrieved for review. Is
it standard practice to pull the archived copy of the electronic data for review, or are the files being retrieved
from the backup instead? It is important to assure there is a process in place to obtain the official archived
data (rather than the backup) and that all employees understand the difference between the electronic archive
and the backup and when it is appropriate to access each. Auditors have observed instances where a backup
copy transitioned into use as the official archived copy due to corruption of the original. In a case like this,
there should be some documentation indicating what happened to the original data and showing that the
backup was copied or restored and verified for official regulatory use.

In conclusion, there are several points to consider when implementing backup procedures within an
organization. The type of computerized system, amount and type of data being collected, and the associated
media types to maintain the original raw data are critical to evaluate as part of the process of determining
the appropriate backup procedures. The degrees of backup used, whether as part of a combination or
independent strategy, as well as adequate frequencies for the particular type of backup should be considered
when evaluating each computerized system to minimize the risk of losing data while keeping processes
cost effective and relatively labor-less. Maintaining the backup at a geographically different location in
conjunction with periodic restoration exercises via recovery drills as well as appropriate rotation of outdated
media enhances disaster recovery efforts. Quality Assurance personnel should be knowledgeable of the
documented processes and periodically monitor them to assure robust, tested procedures are in place to
safeguard an organization’s electronic records and intellectual property.

4 Quality Matters - Te c h n i c a l Paper 2017-5 Volume 33, Number 4

Glossary of Terms:
Backup – a point-in-time duplication or copy of data, metadata, and system configuration settings
maintained for the purpose of disaster recovery
Cold backups – backups that occur when the system is off-line during the file copy process
Differential backups – a copy of data that changed since the last full data backup
Full data backups – a copy of all of the data available on the system at the time that it is initiated
Full system backups – a copy of the entire system, including all data and software
Hot backups – backups that occur when the system being copied is still running
Incremental data backups – a copy of all changed or new data since the previous incremental backup
Recovery Point Objective (RPO) – the maximum targeted period in which data might be lost due to a major
incident
Recovery Time Objective (RTO) – the targeted duration of time in which a business process must be
restored after a disaster in order to avoid unacceptable consequences association with a break in business
continuity

Quality Matters - Te c h n i c a l Paper 2017-5 Volume 33, Number 4 5