GMP Impact of System Configuration Not Matching SOP Instructions
Introduction to the Audit Finding
1. Key Issue Identified
Auditors discovered that IT systems used in GMP environments were not configured as described in corresponding SOPs. For example, access privileges, password policies, and audit trail settings differed from documented procedures.
2. Regulatory Implications
- Violates principles of computerized system validation (CSV)
- Leads to data integrity concerns if audit trails or access control are misconfigured
- Breaks trust between documented procedures and actual system operations
3. Typical Audit Scenario
Audit trail was found disabled for certain operations even though the SOP mandated continuous tracking. Password change interval in the system was set to 180 days, while the SOP required 90 days.
Regulatory Expectations and Inspection Observations
1. 21 CFR Part 11.10(a) and (d)
Requires that systems used in regulated environments are validated and operate in accordance with pre-established written procedures.
2. EU GMP Annex 11, Clause 4 and 5
Emphasizes that configuration must reflect what is written in SOPs, particularly around access control and data retention.
3. GAMP 5 Principle
System configuration must be documented and traceable to functional requirements defined in SOPs and validation documentation.
4. Regulatory Findings
- FDA 483: “System password settings did not match
Root Causes of Configuration-SOP Mismatch
1. Poor Communication Between IT and QA
System administrators implement settings without consulting QA or SOPs.
2. Inadequate SOP Review During System Setup
IT teams rely on vendor defaults rather than cross-checking against SOPs.
3. Lack of Change Management Discipline
System configurations are modified without proper change control, and SOPs are not updated accordingly.
4. Misalignment Between Validation and SOP Authors
Validation teams and SOP authors work in silos, resulting in diverging functional assumptions.
Prevention of System-SOP Misalignment
1. Cross-Functional Configuration Committees
Include QA, IT, and Validation representatives during system design, configuration, and SOP drafting phases.
2. Configuration Verification Checklists
- Establish SOP-linked verification points before releasing system for use
- Perform dry-runs comparing SOP steps vs. actual system behavior
3. Validation Alignment
Ensure that configuration documented in pharma validation protocols matches SOP steps one-to-one.
4. Periodic IT Compliance Audits
Internal IT auditors should review system setup vs. current SOPs quarterly or post-major change.
5. SOP for Configuration Management
Define a specific SOP that governs how system configurations must be documented, reviewed, and approved.
Corrective and Preventive Actions (CAPA)
1. Corrective Measures
- Revalidate all affected systems
- Reconfigure settings to match the active SOP
- Document discrepancy reports for all deviations
2. Preventive Strategies
Revise SOPs to include detailed configuration parameters, supported by screenshots or configuration logs.
3. Training Initiatives
Train IT and QA teams on interpreting and executing SOPs during system configuration activities.
4. Regulatory Best Practice Reference
Align practices with USFDA CSV guidance and TGA recommendations on computerized system lifecycle management.