The Medicines and Healthcare products Regulatory Agency (MHRA) has a responsibility to protect public health by ensuring that medicines and medical devices meet applicable standards of safety, quality and efficacy. Each year, they conduct GMP inspections of facilities in the UK and overseas. In 2016, they completed a total of 324 inspections which is an increase of 21 from the previous year. During an inspection, the MHRA may find one or more deficiencies where the facility has failed to adequately meet a regulation. These deficiencies are grouped into categories, and the Computerised Systems category ranked number 7 in the most cited deficiency groups (9 Critical, 44 Major, and 120 Other). This is a slight improvement on the previous year, ranking in at number 5.
Within the MHRA regulatory guidance document (Orange Guide), there are several sections of Annex 11, Computerised Systems. The greatest number of deficiencies were found in relation to Security, Audit Trails, and Validation. Some examples of these findings are:
- Access control systems were not classified as GMP despite their intended purpose to control access to GMP areas.
- Users having more access than permitted in accordance with procedures.
- Users were permitted to change the default audit trail.
- Data from the integrity test was not backed up, and the system was observed to overwrite previous data.
As technology advances, computerised systems will provide further support for GMP activities. The regulations are set to ensure medicinal products meet safety, quality and efficacy standards, but they are also established to guide and encourage innovation. Facilities that successfully benefit from updated technology implement validation, operational and support processes that welcome continuous technology improvements whilst remaining compliant with regulations.
In March 2015, the MHRA released data integrity guidelines which also provided full definition and expectations for the management of GMP data. Deadlines were set to the end of 2017 to implement compliant practices (and in some cases, implement software where a paper-based process is insufficient) for areas such as audit trails and user access. The above data from the 2016 inspections show that regulators are acting on the issued data integrity guidelines, and we will be keeping up to date with the industry's efforts to implement this guidance globally.