GMP Non-Compliance Due to Missing SOPs for Electronic Record Handling
Introduction to the Audit Finding
1. Summary of Finding
Electronic records critical to GMP operations are managed without documented procedures—violating data integrity expectations.
2. Data Governance Concern
Without a defined SOP, electronic data becomes vulnerable to unauthorized access, manipulation, loss, or deletion.
3. Common Contexts
This issue is often found in systems like LIMS, ERP, PLCs, HVAC monitoring, and stability testing software.
4. Key Risk Areas
Audit trail omission, no backup policy, undefined data retention periods, and improper user rights are frequently observed.
5. Severity of Impact
The absence of electronic record SOPs is considered a critical data integrity gap affecting product quality and regulatory trust.
6. Lifecycle Management Risk
No documentation exists for the creation, modification, archival, and deletion of GMP data—breaching lifecycle integrity.
7. Regulatory Perception
Agencies see this as systemic failure—suggesting that the company does not understand or control its electronic records.
8. Case Example
In one MHRA inspection, a firm failed to explain how temperature records in a warehouse were stored or reviewed electronically.
9. Overall Risk Summary
Lack of procedure means lack of control—leading to probable regulatory enforcement such as FDA 483s or warning letters.
Regulatory Expectations and Inspection Observations
1. 21 CFR
Firms must document how electronic records are created, protected, and retained. SOPs are the primary tool to meet this expectation.
2. EU GMP Annex 11
Specifies that formal procedures must exist for electronic systems governing GMP-related operations and data.
3. WHO TRS 1019
Calls for procedural control of data entry, verification, protection, retrieval, and retention in computerized systems.
4. PIC/S PI 041-1
Details the need for SOPs covering audit trails, user access rights, and data security across the system lifecycle.
5. MHRA GXP Data Integrity Guidance
States: “Procedures must exist that describe the use of electronic systems in GxP environments.”
6. Health Canada GMP Guidance
Highlights that absence of procedures for electronic documentation undermines traceability and accountability.
7. USFDA 483 Citation
“No procedure was available to define handling and retention of electronic logbooks for temperature monitoring systems.”
8. CDSCO Audit Case
Indian regulators cited a sterile facility for lacking documented access control rules in the electronic BMR system.
9. Risk Amplification via Automation
The more automated a system is, the more critical documented procedural controls become to protect GMP data.
Root Causes of Missing Electronic Record SOPs
1. Overlooked During System Implementation
Electronic systems are validated, but SOPs defining their ongoing use are never written or approved.
2. Fragmented IT and QA Ownership
IT manages the systems; QA assumes compliance—but no one documents the usage controls.
3. Lack of Training
SOP writers are unfamiliar with data integrity expectations or system-specific controls.
4. Legacy Systems
Older platforms like standalone HPLCs or HVAC systems may be operating without any formal procedures.
5. Overreliance on Vendors
Firms assume that vendor-provided manuals or validation documents suffice—ignoring the need for internal SOPs.
6. Misconception of Compliance
Some believe that only paper records require SOPs, not electronic workflows.
7. Poor Change Control
New modules or features are added without triggering updates to associated procedures.
8. Inadequate QA Review
SOPs for systems are approved without assessing whether they address electronic record lifecycle control.
9. Data Integrity Culture Gap
Sites lack awareness of ALCOA+ principles and their procedural enforcement mechanisms.
Prevention of SOP Gaps for Electronic Records
1. Define a Global SOP
Create a master procedure that outlines how all GMP electronic records will be created, modified, archived, and reviewed.
2. Map System-Specific Procedures
For each computerized system (LIMS, ERP, BMS), ensure a system-specific SOP is available and accessible.
3. Collaborate Across Functions
Use joint QA-IT teams to draft, review, and approve procedures to ensure both compliance and system feasibility.
4. Integrate ALCOA+ Principles
Make sure the SOPs mention data attributes like attributable, legible, contemporaneous, original, and accurate.
5. Address User Access and Roles
Include how user accounts are created, deactivated, and controlled based on responsibilities and segregation of duties.
6. Incorporate Backup and Recovery
SOPs must describe data backup frequency, verification, storage medium, and restoration testing.
7. Validate and Link to VMP
Ensure procedures are traceable to system validation activities and the validation master plan.
8. Conduct SOP Gap Assessments
Review all existing SOPs linked to electronic systems and assess them against current regulatory expectations.
9. Audit for Procedural Control
During internal audits, verify the availability and completeness of SOPs governing electronic data systems.
Corrective and Preventive Actions (CAPA)
1. Immediate Risk Assessment
Identify systems with electronic records currently operating without defined procedures.
2. Log Deviation
Document the SOP absence as a deviation or observation, with cross-functional impact analysis.
3. Draft System SOPs
Assign responsible departments to prepare and implement SOPs for each electronic system affecting GMP operations.
4. Conduct Targeted Training
Train relevant personnel on the new SOPs and clarify their responsibilities in electronic record handling.
5. Include in Internal Audit Scope
Update internal audit checklists to verify whether every GMP electronic system has a current, reviewed SOP.
6. Cross-reference with VMP
Ensure SOPs for electronic records are consistent with the validation and qualification lifecycle described in the VMP.
7. Implement Review Cycle
Establish a periodic review process (e.g., every 12 months) for all SOPs governing electronic systems.
8. Align with Regulatory Guidelines
Refer to EMA, FDA, and WHO guidance when drafting or revising procedures.
9. Monitor Effectiveness
Track system deviations, audit trail reviews, and user access logs to ensure that SOPs are being followed correctly.