Life sciences industry has regulatory compliance at the center of all its operations, so maintaining the integrity of data has always been a pressing need for this industry globally. Regulators such as the United States Food and Drug Administration (U.S. FDA), World Health Organisation (WHO), Indian Food and Drug Administration (FDA), the United Kingdom Medicines and Healthcare Products Regulatory Agency (MHRA), and other regulatory agencies have laid down guidelines around data integrity that ensure good manufacturing practices are followed and the products manufactured are of high-quality standards.
Technology plays a pivotal role in the life sciences industry with almost every process in drug manufacturing and quality control unit involving multiple equipment and computerized applications. Further, massive data generated by these applications during the drug life cycle needs to be stored and secured to maintain authenticity. On average, any company will have more than 100 applications like CDS & Non-CDS equipment, physical data servers, and applications like ERP, LIMS, DMS, QMS, eLogs, eBMR, and Chromeleon, empower, etc., that demand regular monitoring for compliance. Hence, it is critical that these equipment and computerized applications comply with regulatory guidelines, thereby, ensuring data Integrity.
In addition to the regulatory pressure, the corporate heads and IT professionals are under organizational pressure as well to ensure the protection of the company resources and data. Hence, IT teams employ access controls on critical information through login credentials, multifactor authentication, restricted access controls, etc. Despite the adoption of automation and digitalization in various aspects, most organizations still depend on a paper-based approach for identity and access management purposes. With the entire procedure done manually, there is an absence of an audit trail which may result in duplicate user identities, illegal access, provisioning access without validating pre-requisites, leading to major integrity issues. The IT teams also face the challenge of tracking users, access permissions, role updates, license utilization, and compliance. The organizations, thus, need to go beyond manual/error-prone approaches and embrace digital platforms to automate the tasks (assigning, modifying, monitoring) for access controls. An identity and access management technology platform can be leveraged to maintain and manage user access permissions per the company workflows and standard operating procedures, as well as track authorizations for any exceptions.
Data Integrity compliance has always been a focus area for the regulators as we can notice from various actions taken by them in the form of "Form 483," "Warning Letter," "Import Alert," and "Consent decree." One approach that a pharmaceutical company can follow to maintain sound data integrity and overall GMP program is to embrace best practices for data acquisition, data storage, and access controls like providing authorized/restricted access to the electronic data generated by various types of GxP equipment.
As per the USFDA regulation - 21 CFR 211.68 and 212.110(b), exact, unchanged, and complete copies of backup data should be maintained, any risk arising from accidental deletion or loss of the electronic data must be eliminated, role-based authentications need to be set up to prevent unauthorized access or potential data manipulation and user access changes for audit trail purposes must be tracked. 
Further, the regulation highlights the following principles to maintain the integrity of electronic data.
- Authorization of Access
- Input/Output verification based on the complexity and reliability of the computer or related system
- storage of E-records and backups
Some of the findings of the USFDA during inspections related to access authorization state:
- Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).
- Unique user accounts and privilege levels were not assigned to individual users for (b)(4) software, and the Windows operating system. The analysts had access to delete and overwrite data. Our investigators found approximately 36 deleted data files or folders in the recycle bin.
- Our investigator observed that the computerized system and software associated with your GC lacked restricted access. For example, your laboratory employees who used the GC to perform analyses of drug products all logged in as “System Administrator,” which does not require a password, and had full system administration rights. In addition, audit trails on your GC were not enabled.
- As the result of not correctly assigning the access level to users, the absence of the qualification of a critical tool to determine quality attribute from product, and the failure to detect falsification of records, the firm quality system does not adequately ensure the accuracy and integrity of the data to support the safety, effectiveness and quality of the manufactured drugs.
If identified as non-compliant by the regulators, the organization has to file a CAPA plan for the interim controls to prevent the occurrence or recurrence of data alteration, deletion and authorized access. Also, a detailed plan needs to be provided to evaluate and remediate the user control effectiveness of the manufacturing and laboratory systems.
Current Procedures followed for User Authorization
The complex access controls in pharmaceutical compliance requirements are attributed to the existence of multiple departments (research and development facilities, manufacturing sites, quality control labs, etc.) and various equipment configured within it requiring authorized user control and security permissions. It is, therefore, the responsibility of the organization’s information technology (IT) team to provide, change, validate and audit any user access control for multiple types of equipment and computerized applications. Also, the IT team needs to quickly respond to any user-related request to avoid any delays in the organization’s daily operations and to ensure compliance with regulatory guidelines.
Some of the frequent requests or activities that the IT team has to address on a regular basis:
- Create a user profile and provide access to the GxP equipment and applications as per the standard operating procedure (SOP)
- Create, lock, and backup data folders of the respective application in the quality control laboratory and manufacturing unit
- Install and validate the GxP application on user request
- Revoke user access from the respective application (e.g. upon exits)
- User change access request or password reset
- Get the required approval from the respective team for any user access request
- System security and backup requests from the users
- User access to a unit in the facility
- Application and equipment validation or troubleshooting request
- Backup data restoration request for the respective application for audit purposes
For each of the aforementioned requests, IT teams need to validate requests as per the organization’s SOP, seek multiple approvals from the respective teams at the facility or corporate office and maintain appropriate documentation of the requests and approvals prior to executing the requests. Most organizations follow a paper-based approach to document and maintain an audit trail of these requests, leading to the generation of thousands of paper documents every year that need to be organized and maintained from a traceability perspective. Furthermore, this data needs to be regularly monitored by the IT team to ensure data integrity compliance and is reviewed by the regulators during the inspection.
User Access Management System - How IAM Solves the problem
A manual approach to documenting each user request on paper and getting required approvals/signatures from the respective team sitting at different locations can be an incredibly resource-intensive and time-consuming activity for the IT team. Further, the bundle of paper documents that are created while addressing these requests, needs to be validated and maintained for any future regulatory audit. This paper-based, manual approach is quite tedious and less likely to assuage the DI risk. On the contrary, an effective User Access Management (UAM) system can speed up the process of completing any user-related request, help manage the user accounts effectively by providing traceability of the user access, track various aspects of user access of each application and equipment including location/nature of access, ensure the requests are aligned to organization’s standard operating procedure(SOP), enable efficient internal audit reviews and an overall increase in the productivity of the IT team.
Additionally, UAM resolves the challenge for the IT team by providing a technology platform with a user-friendly interface that can be deployed on the organization’s network to create, access, and manage user requests remotely. Further, it offers a robust workflow for managing and tracking access and generating reports in real-time for audit purposes with information related to user identities and access permissions based on position/role in the organization. With the organization’s workflow fed into the UAM system, it will, relatively, lessen the efforts for the IT team to execute the request, avoid errors, and maintain compliance.
How it Works
UAM gets configured on the organization’s intranet and connects to a computerized system and application (i.e. LIMS, empower, chromeleon, etc) through APIs. Further, UAM is not meant to substitute the existing infrastructure, but to augment it by acting as an additional layer that enables user access management and control in a structured and more effective manner. Such a unified system allows the IT team to remotely manage user identities and access across the infrastructure from a central location.
How UAM Benefits the pharmaceutical company.
It enables the IT team to control user access to critical information within their organizations. IAM tool configures and manages role-based access control, which lets the IT team provide and control access to the respective systems based on the SOP and profile of individual users within the organization.
- Roles can be defined according to the job profile, authority, and responsibility within the organization.
- Allows the IT team to regulate access to connected systems or networks based on the roles of individual users.
- Access to each GxP application can be granted based on the Standard Operating Procedure(SOP).
- Maintains database logs of user logins, addition, and removal of access privileges.
- Provide a centralized user directory for audit and reporting.
- Track and manage digital identities of devices and applications to help establish trust.
- SOP related to IT controls can be configured which ensures access privilege will be granted according to the policies.
- UAM allows the IT team to operate more efficiently and requires less effort and time to perform a daily task.
- Enables the team at the corporate office to remotely monitor user requests at multiple facilities.
- Enables organizations to comply with regulatory norms by allowing them to analyze and showcase information on a single platform using customized dashboards and reports.
- Further, the UAM system provides the flexibility of generating reports on demand for auditing purposes.
With the ever-evolving regulatory landscape, the pharmaceutical industry needs to embrace digital platforms that enable them to keep pace with regulatory compliance and technological changes as they strive to stay committed to the needs of the healthcare ecosystem. As pharmaceutical companies expand their portfolio of drugs, facilities, and infrastructure and implement new instruments, they will have to do away with manual means of managing IT compliance and implement the UAM tool to track and manage the user access of each application and equipment, ensuring the requests are aligned to SOP and enabling efficient internal audit control.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.