GMP Impact of System Configuration Not Matching SOP Instructions

Introduction to the Audit Finding

1. Key Issue Identified

Auditors discovered that IT systems used in GMP environments were not configured as described in corresponding SOPs. For example, access privileges, password policies, and audit trail settings differed from documented procedures.

2. Regulatory Implications

• Violates principles of computerized system validation (CSV)
• Leads to data integrity concerns if audit trails or access control are misconfigured
• Breaks trust between documented procedures and actual system operations

3. Typical Audit Scenario

Audit trail was found disabled for certain operations even though the SOP mandated continuous tracking. Password change interval in the system was set to 180 days, while the SOP required 90 days.

Regulatory Expectations and Inspection Observations

1. 21 CFR Part 11.10(a) and (d)

Requires that systems used in regulated environments are validated and operate in accordance with pre-established written procedures.

2. EU GMP Annex 11, Clause 4 and 5

Emphasizes that configuration must reflect what is written in SOPs, particularly around access control and data retention.

3. GAMP 5 Principle

System configuration must be documented and traceable to functional requirements defined in SOPs and validation documentation.

4. Regulatory Findings

• FDA 483: “System password settings did not match the configuration described in the approved SOP.”
• CDSCO: “Audit trail not enabled for a critical system function, although mandated by SOP.”

Root Causes of Configuration-SOP Mismatch

1. Poor Communication Between IT and QA

System administrators implement settings without consulting QA or SOPs.

2. Inadequate SOP Review During System Setup

IT teams rely on vendor defaults rather than cross-checking against SOPs.

3. Lack of Change Management Discipline

System configurations are modified without proper change control, and SOPs are not updated accordingly.

4. Misalignment Between Validation and SOP Authors

Validation teams and SOP authors work in silos, resulting in diverging functional assumptions.

Prevention of System-SOP Misalignment

1. Cross-Functional Configuration Committees

Include QA, IT, and Validation representatives during system design, configuration, and SOP drafting phases.

2. Configuration Verification Checklists

• Establish SOP-linked verification points before releasing system for use
• Perform dry-runs comparing SOP steps vs. actual system behavior

3. Validation Alignment

Ensure that configuration documented in pharma validation protocols matches SOP steps one-to-one.

4. Periodic IT Compliance Audits

Internal IT auditors should review system setup vs. current SOPs quarterly or post-major change.

5. SOP for Configuration Management

Define a specific SOP that governs how system configurations must be documented, reviewed, and approved.

Corrective and Preventive Actions (CAPA)

1. Corrective Measures

• Revalidate all affected systems
• Reconfigure settings to match the active SOP
• Document discrepancy reports for all deviations

2. Preventive Strategies

Revise SOPs to include detailed configuration parameters, supported by screenshots or configuration logs.

3. Training Initiatives

Train IT and QA teams on interpreting and executing SOPs during system configuration activities.

4. Regulatory Best Practice Reference

Align practices with USFDA CSV guidance and TGA recommendations on computerized system lifecycle management.

Why Intranet SOPs Without Access Restrictions Violate GMP Standards

Introduction to the Audit Finding

1. The Issue Explained

Standard Operating Procedures (SOPs) hosted on the company intranet are accessible to all personnel without user authentication or role-based restrictions.

2. GMP Compliance Gap

• Unauthorized personnel may download, modify, or circulate SOPs
• Old or draft versions may be accessed and followed by mistake
• No traceability of document access or usage

3. Systemic Risk

Open access to critical procedures can result in operational deviations, misapplication of SOPs, and lack of audit traceability.

4. Example Scenario

Operators accessed a superseded SOP from the intranet folder, leading to incorrect cleaning procedure execution — later flagged during a GMP audit.

Regulatory Expectations and Inspection Observations

1. USFDA 21 CFR 211.180(c)

Requires that all records, including SOPs, must be controlled, retained, and readily available only to authorized personnel.

2. EU GMP Chapter 4

Stipulates that access to documents should be restricted to individuals who need them for performance of their duties.

3. WHO TRS 996

Highlights the importance of document security and controlled distribution, especially for electronic formats.

4. Regulatory Observations

• USFDA: “Intranet hosted SOPs lacked user restrictions. Anyone in the network could access and print them.”
• MHRA: “Access to QA-controlled procedures via unsecured intranet folder was observed.”

Root Causes of SOP Access Control Lapses

1. IT-QA Disconnect

QA defines SOP distribution policy but IT implements document repositories without GMP-compliant access controls.

2. Shared Network Folders

SOPs are placed in general intranet folders with default read permissions across departments.

3. Absence of Electronic Document Control System

Companies lacking an EDMS resort to uncontrolled methods of SOP sharing, compromising version integrity.

4. Lack of Training

Personnel are unaware of SOP access protocol and may unintentionally circulate unapproved versions.

Prevention of SOP Distribution Risks via Intranet

1. Role-Based Access Controls (RBAC)

Set document-level permissions on intranet folders using Active Directory roles or document security software.

2. Controlled Intranet Portals

Use a QA-approved SOP portal with login authentication and version locking mechanisms.

3. SOP Listing, Not Hosting

Host SOP lists on intranet but link to controlled copies stored on a secure EDMS platform.

4. Watermark and Download Restrictions

Use view-only formats with user-specific watermarks to prevent uncontrolled sharing of SOP PDFs.

5. Real-Time Access Logs

Track who accessed, viewed, or downloaded SOPs for audit traceability and to detect anomalies.

Corrective and Preventive Actions (CAPA)

1. Corrective Measures

• Remove SOPs from shared folders lacking proper access restrictions
• Transition SOP access to a secure EDMS or restricted SharePoint location
• Conduct a full access audit of all electronic SOPs

2. Preventive Controls

Define SOP access policy in the Documentation Control SOP, specifying authorization levels and IT protocols.

3. IT-QA Governance

Establish a Document Access Governance Committee including QA and IT to monitor and audit document security systems.

4. Regulatory Alignment

Benchmark controls with agencies such as TGA and USFDA to ensure security best practices in SOP hosting.

5. Training and Awareness

Include SOP access and security protocols in training modules for all document users.