GMP Impact of System Configuration Not Matching SOP Instructions

Introduction to the Audit Finding

1. Key Issue Identified

Auditors discovered that IT systems used in GMP environments were not configured as described in corresponding SOPs. For example, access privileges, password policies, and audit trail settings differed from documented procedures.

2. Regulatory Implications

• Violates principles of computerized system validation (CSV)
• Leads to data integrity concerns if audit trails or access control are misconfigured
• Breaks trust between documented procedures and actual system operations

3. Typical Audit Scenario

Audit trail was found disabled for certain operations even though the SOP mandated continuous tracking. Password change interval in the system was set to 180 days, while the SOP required 90 days.

Regulatory Expectations and Inspection Observations

1. 21 CFR Part 11.10(a) and (d)

Requires that systems used in regulated environments are validated and operate in accordance with pre-established written procedures.

2. EU GMP Annex 11, Clause 4 and 5

Emphasizes that configuration must reflect what is written in SOPs, particularly around access control and data retention.

3. GAMP 5 Principle

System configuration must be documented and traceable to functional requirements defined in SOPs and validation documentation.

4. Regulatory Findings

• FDA 483: “System password settings did not match the configuration described in the approved SOP.”
• CDSCO: “Audit trail not enabled for a critical system function, although mandated by SOP.”

Root Causes of Configuration-SOP Mismatch

1. Poor Communication Between IT and QA

System administrators implement settings without consulting QA or SOPs.

2. Inadequate SOP Review During System Setup

IT teams rely on vendor defaults rather than cross-checking against SOPs.

3. Lack of Change Management Discipline

System configurations are modified without proper change control, and SOPs are not updated accordingly.

4. Misalignment Between Validation and SOP Authors

Validation teams and SOP authors work in silos, resulting in diverging functional assumptions.

Prevention of System-SOP Misalignment

1. Cross-Functional Configuration Committees

Include QA, IT, and Validation representatives during system design, configuration, and SOP drafting phases.

2. Configuration Verification Checklists

• Establish SOP-linked verification points before releasing system for use
• Perform dry-runs comparing SOP steps vs. actual system behavior

3. Validation Alignment

Ensure that configuration documented in pharma validation protocols matches SOP steps one-to-one.

4. Periodic IT Compliance Audits

Internal IT auditors should review system setup vs. current SOPs quarterly or post-major change.

5. SOP for Configuration Management

Define a specific SOP that governs how system configurations must be documented, reviewed, and approved.

Corrective and Preventive Actions (CAPA)

1. Corrective Measures

• Revalidate all affected systems
• Reconfigure settings to match the active SOP
• Document discrepancy reports for all deviations

2. Preventive Strategies

Revise SOPs to include detailed configuration parameters, supported by screenshots or configuration logs.

3. Training Initiatives

Train IT and QA teams on interpreting and executing SOPs during system configuration activities.

4. Regulatory Best Practice Reference

Align practices with USFDA CSV guidance and TGA recommendations on computerized system lifecycle management.