GMP Impact of System Configuration Not Matching SOP Instructions

Introduction to the Audit Finding

1. Key Issue Identified

Auditors discovered that IT systems used in GMP environments were not configured as described in corresponding SOPs. For example, access privileges, password policies, and audit trail settings differed from documented procedures.

2. Regulatory Implications

• Violates principles of computerized system validation (CSV)
• Leads to data integrity concerns if audit trails or access control are misconfigured
• Breaks trust between documented procedures and actual system operations

3. Typical Audit Scenario

Audit trail was found disabled for certain operations even though the SOP mandated continuous tracking. Password change interval in the system was set to 180 days, while the SOP required 90 days.

Regulatory Expectations and Inspection Observations

1. 21 CFR Part 11.10(a) and (d)

Requires that systems used in regulated environments are validated and operate in accordance with pre-established written procedures.

2. EU GMP Annex 11, Clause 4 and 5

Emphasizes that configuration must reflect what is written in SOPs, particularly around access control and data retention.

3. GAMP 5 Principle

System configuration must be documented and traceable to functional requirements defined in SOPs and validation documentation.

4. Regulatory Findings

• FDA 483: “System password settings did not match the configuration described in the approved SOP.”
• CDSCO: “Audit trail not enabled for a critical system function, although mandated by SOP.”

Root Causes of Configuration-SOP Mismatch

1. Poor Communication Between IT and QA

System administrators implement settings without consulting QA or SOPs.

2. Inadequate SOP Review During System Setup

IT teams rely on vendor defaults rather than cross-checking against SOPs.

3. Lack of Change Management Discipline

System configurations are modified without proper change control, and SOPs are not updated accordingly.

4. Misalignment Between Validation and SOP Authors

Validation teams and SOP authors work in silos, resulting in diverging functional assumptions.

Prevention of System-SOP Misalignment

1. Cross-Functional Configuration Committees

Include QA, IT, and Validation representatives during system design, configuration, and SOP drafting phases.

2. Configuration Verification Checklists

• Establish SOP-linked verification points before releasing system for use
• Perform dry-runs comparing SOP steps vs. actual system behavior

3. Validation Alignment

Ensure that configuration documented in pharma validation protocols matches SOP steps one-to-one.

4. Periodic IT Compliance Audits

Internal IT auditors should review system setup vs. current SOPs quarterly or post-major change.

5. SOP for Configuration Management

Define a specific SOP that governs how system configurations must be documented, reviewed, and approved.

Corrective and Preventive Actions (CAPA)

1. Corrective Measures

• Revalidate all affected systems
• Reconfigure settings to match the active SOP
• Document discrepancy reports for all deviations

2. Preventive Strategies

Revise SOPs to include detailed configuration parameters, supported by screenshots or configuration logs.

3. Training Initiatives

Train IT and QA teams on interpreting and executing SOPs during system configuration activities.

4. Regulatory Best Practice Reference

Align practices with USFDA CSV guidance and TGA recommendations on computerized system lifecycle management.

GMP Non-Compliance Due to Missing SOPs for Electronic Record Handling

Introduction to the Audit Finding

1. Summary of Finding

Electronic records critical to GMP operations are managed without documented procedures—violating data integrity expectations.

2. Data Governance Concern

Without a defined SOP, electronic data becomes vulnerable to unauthorized access, manipulation, loss, or deletion.

3. Common Contexts

This issue is often found in systems like LIMS, ERP, PLCs, HVAC monitoring, and stability testing software.

4. Key Risk Areas

Audit trail omission, no backup policy, undefined data retention periods, and improper user rights are frequently observed.

5. Severity of Impact

The absence of electronic record SOPs is considered a critical data integrity gap affecting product quality and regulatory trust.

6. Lifecycle Management Risk

No documentation exists for the creation, modification, archival, and deletion of GMP data—breaching lifecycle integrity.

7. Regulatory Perception

Agencies see this as systemic failure—suggesting that the company does not understand or control its electronic records.

8. Case Example

In one MHRA inspection, a firm failed to explain how temperature records in a warehouse were stored or reviewed electronically.

9. Overall Risk Summary

Lack of procedure means lack of control—leading to probable regulatory enforcement such as FDA 483s or warning letters.

Regulatory Expectations and Inspection Observations

1. 21 CFR Part 11

Firms must document how electronic records are created, protected, and retained. SOPs are the primary tool to meet this expectation.

2. EU GMP Annex 11

Specifies that formal procedures must exist for electronic systems governing GMP-related operations and data.

3. WHO TRS 1019

Calls for procedural control of data entry, verification, protection, retrieval, and retention in computerized systems.

4. PIC/S PI 041-1

Details the need for SOPs covering audit trails, user access rights, and data security across the system lifecycle.

5. MHRA GXP Data Integrity Guidance

States: “Procedures must exist that describe the use of electronic systems in GxP environments.”

6. Health Canada GMP Guidance

Highlights that absence of procedures for electronic documentation undermines traceability and accountability.

7. USFDA 483 Citation

“No procedure was available to define handling and retention of electronic logbooks for temperature monitoring systems.”

8. CDSCO Audit Case

Indian regulators cited a sterile facility for lacking documented access control rules in the electronic BMR system.

9. Risk Amplification via Automation

The more automated a system is, the more critical documented procedural controls become to protect GMP data.

Root Causes of Missing Electronic Record SOPs

1. Overlooked During System Implementation

Electronic systems are validated, but SOPs defining their ongoing use are never written or approved.

2. Fragmented IT and QA Ownership

IT manages the systems; QA assumes compliance—but no one documents the usage controls.

3. Lack of Training

SOP writers are unfamiliar with data integrity expectations or system-specific controls.

4. Legacy Systems

Older platforms like standalone HPLCs or HVAC systems may be operating without any formal procedures.

5. Overreliance on Vendors

Firms assume that vendor-provided manuals or validation documents suffice—ignoring the need for internal SOPs.

6. Misconception of Compliance

Some believe that only paper records require SOPs, not electronic workflows.

7. Poor Change Control

New modules or features are added without triggering updates to associated procedures.

8. Inadequate QA Review

SOPs for systems are approved without assessing whether they address electronic record lifecycle control.

9. Data Integrity Culture Gap

Sites lack awareness of ALCOA+ principles and their procedural enforcement mechanisms.

Prevention of SOP Gaps for Electronic Records

1. Define a Global SOP

Create a master procedure that outlines how all GMP electronic records will be created, modified, archived, and reviewed.

2. Map System-Specific Procedures

For each computerized system (LIMS, ERP, BMS), ensure a system-specific SOP is available and accessible.

3. Collaborate Across Functions

Use joint QA-IT teams to draft, review, and approve procedures to ensure both compliance and system feasibility.

4. Integrate ALCOA+ Principles

Make sure the SOPs mention data attributes like attributable, legible, contemporaneous, original, and accurate.

5. Address User Access and Roles

Include how user accounts are created, deactivated, and controlled based on responsibilities and segregation of duties.

6. Incorporate Backup and Recovery

SOPs must describe data backup frequency, verification, storage medium, and restoration testing.

7. Validate and Link to VMP

Ensure procedures are traceable to system validation activities and the validation master plan.

8. Conduct SOP Gap Assessments

Review all existing SOPs linked to electronic systems and assess them against current regulatory expectations.

9. Audit for Procedural Control

During internal audits, verify the availability and completeness of SOPs governing electronic data systems.

Corrective and Preventive Actions (CAPA)

1. Immediate Risk Assessment

Identify systems with electronic records currently operating without defined procedures.

2. Log Deviation

Document the SOP absence as a deviation or observation, with cross-functional impact analysis.

3. Draft System SOPs

Assign responsible departments to prepare and implement SOPs for each electronic system affecting GMP operations.

4. Conduct Targeted Training

Train relevant personnel on the new SOPs and clarify their responsibilities in electronic record handling.

5. Include in Internal Audit Scope

Update internal audit checklists to verify whether every GMP electronic system has a current, reviewed SOP.

6. Cross-reference with VMP

Ensure SOPs for electronic records are consistent with the validation and qualification lifecycle described in the VMP.

7. Implement Review Cycle

Establish a periodic review process (e.g., every 12 months) for all SOPs governing electronic systems.

8. Align with Regulatory Guidelines

Refer to EMA, FDA, and WHO guidance when drafting or revising procedures.

9. Monitor Effectiveness

Track system deviations, audit trail reviews, and user access logs to ensure that SOPs are being followed correctly.