Has Anyone Ever Applied the Data Integrity Guidelines from MHRA and PIC/S?

Has anyone ever apply the Data Integrity guidelines from MHRA and PIC/S (though both these 2 guidelines still in draft status). I am working on a project that the computer systems is using a common / generic admin log on that doing automatic checking for the validity of each equipment e.g. equipment A must be used within 24 hours after the cleaning process, else the validity of the equipment will be removed. Because of the auto checking process, the audit trial appear as “Sys_Admin allocated Equipment A”. However, MHRA guidelines stated no shared log in and shared admin account shall be used. Does it post a data integrity concern for this case ? From my past validation experience, it is unavoidable for a complex / large computer system using shared accounts as some automated process will be checked by system and even many systems using shared accounts to communicate with another computer systems /PLC and etc. My opinion is as long as I can prove that the system’s audit trail meeting the ALCOA and complete, consistent and accurate as in MHRA guidelines , it shouldn’t be any data integrity concerns. Not sure anyone has any experience on this and can share some ideas? I hope to get more input as the project team has many diff opinions … and I hope to seek more ideas…

Shared accounts using common access credentials is a significant data integrity issue as it is impossible to attribute the action to a specific individual. A fundamental requirement for assuring the reliability and trustworthiness of records. Shared accounts are a fundamental non-compliance in any regulated industry. In the pharmaceutical industry they are a fundamental non-compliance with annex 11 (sections 12 and 14) or 21 CFR Part 11. Such a practice has attracted audit observations and warning letters.

In addition, you appear to be allocating system administrator privileges to operators. This is another GMP issues that has attracted audit observations and warning letters. Further, it is a very dangerous practice as it is probable that users have access to functions which they do not need for their roles, and probably have not been trained to use properly.

Dr David Trew
BSc (Hons), PhD, CChem MRSC
Director

David Trew Consulting Ltd
Consultancy services for chemistry based businesses
and laboratory service sectors.

davidtrew@davidtrew.co.uk
Telephone: +44 (0)1494 700693
www.davidtrew.co.uk

The comments placed in this post are for information only are not intended to constitute any form of counsel.

There is an understanding that older systems often do not have the user account functionality that we would expect from fully compliant modern systems.
In terms of the MHRA guidance there is an allowance in such instances to have a hybrid paper / electronic system - meaning that in this instance you would essentially need to have a fully proceduralised (SOP) logbook process that would readily identify the user, action, time started, time finished and date(s) involved. Depending on the criticality of the processes involved, you may also feel it necessary to implement a second-person check

You should also check if newer versions of the software exist from the vendor, as there may be a more compliant version available.

David’s point above regarding supervisor/admin access for all users is very valid, and should be addressed

For reference, the MHRA guidance is no longer in draft, but has been released. They do however have a newer version in draft at the time of writing.
The FDA guidance is currently in draft.