AUDIT OF COMPUTERIZED SYSTEMS IN THE PHARMACEUTICAL INDUSTRY: SECURITY AND REGULATORY COMPLIANCE
This article is complemented by:
Validação de Sistemas Computadorizados
Validação de Sistemas Computadorizados Agile e CSA
By Gustavo Soares and Thiago Borin
Evaluation based on GAMP 5, 21 CFR Part 11, and the ISO/IEC 27001 Cybersecurity standard.
The audit of computerized systems in the pharmaceutical industry is an essential process that encompasses a detailed assessment of various technical components to ensure compliance with stringent standards and data security. Key elements include system validation (IQ, OQ, PQ), review of user requirements (URS), and qualification of IT infrastructure. Additionally, cybersecurity plays a central role, requiring adherence to standards such as GAMP 5, 21 CFR Part 11, ANVISA’s IN 134, and ISO/IEC 27001. The audit must also ensure that access controls are appropriate, systems have an up-to-date inventory, and robust backup and disaster recovery plans are in place. Periodic system reviews and the validation of electronic spreadsheets guarantee the continuity of operations in a secure manner and in compliance with applicable regulations. This systematic approach ensures data integrity and the efficiency of automated processes.
INTRODUCTION
When conducting an audit of computerized systems in the pharmaceutical industry, it is essential to ensure compliance with strict regulatory standards and guidelines, such as the Good Automated Manufacturing Practice (GAMP 5), the FDA’s 21 CFR Part 11 regulation, and Brazilian standards like ANVISA’s IN 134 and Guide 33 for System Validation. These standards aim to ensure the integrity, authenticity, and security of data generated by automated systems, which are critical in a highly regulated environment like the pharmaceutical industry.
Compliance goes beyond simple system validation. It includes the implementation of good engineering practices, risk management, and continuous review to maintain product quality and patient safety. Furthermore, cybersecurity plays a crucial role, requiring compliance with international standards such as ISO/IEC 27001 to protect systems from unauthorized access and ensure data security at all stages of the system life cycle.
This article addresses the main technical requirements necessary for an effective audit of computerized systems in the pharmaceutical industry, highlighting aspects such as infrastructure qualification, system and electronic spreadsheet validation, access control, change management in systems, data integrity, and the implementation of recovery and contingency measures, all essential to ensure regulatory compliance and the maintenance of a secure and controlled environment.
GAMP 5: Structure and Risk-Based Validation
GAMP 5 is an essential guide for the validation of computerized systems and uses a risk-based approach. Validation should be proportional to the impact that the system has on product quality and regulatory compliance. The main aspects of GAMP 5 include:
- Risk-based life cycle: Risk assessment throughout the system’s life cycle to define the necessary level of validation.
- Good engineering practices: Integration of good development and validation practices to ensure system effectiveness and security.
- Periodic Review: Validation is not a one-time event; continuous reviews are necessary after system changes.
21 CFR Part 11: Regulation of Electronic Records and Signatures
21 CFR Part 11 is a fundamental regulation to ensure the authenticity, integrity, and security of electronic records and signatures. Compliance with this regulation is essential to protect electronic data in automated systems, especially in industries that handle product quality and safety data.
The main requirements of 21 CFR Part 11 include:
- Electronic signatures: Must be unique, traceable, and linked to the user to ensure data authenticity.
- Access controls: Access to critical systems must be restricted to authorized users only, using robust authentication.
- Audit trails: Changes to data and user activities must be fully recorded and regularly audited.
ANVISA’s IN 134: Guidelines for Computerized Systems
IN 134 establishes guidelines for the continuous validation and qualification of computerized systems in the pharmaceutical industry, ensuring data integrity and traceability. Its main requirements include:
- Complete documentation: All validation steps, including validation plans, test protocols, and risk assessments, must be documented.
- Version control: Any system changes must be tracked and revalidated.
- User training: Personnel must be trained and qualified to operate the systems.
- Contingency plans: Measures must be implemented to ensure operational continuity in case of failures.
ISO/IEC 27001 – Cybersecurity Requirements
Compliance with cybersecurity standards, such as ISO/IEC 27001, is fundamental to protect systems and data from unauthorized access. Key requirements include:
- Access controls: Multi-factor authentication (MFA) for critical systems.
- Intrusion monitoring: Continuous monitoring tools to detect and respond to intrusion attempts or suspicious activities.
- Data encryption: Protection of data in transit and at rest through encryption.
- Backup and data recovery: Regular backup plans and frequent data restoration tests, ensuring that operations can be resumed in case of failures.
What to Evaluate in a Computerized Systems Audit?
In a computerized systems audit, it is essential to thoroughly evaluate the critical elements that ensure the proper functioning and security of the environment. Focusing on data integrity and information security is fundamental to ensure that the system operates efficiently and reliably. The audit should cover the verification of data protection controls and mechanisms, as well as the effectiveness of measures adopted for failure prevention and data security. This approach ensures that the systems meet the necessary requirements, maintaining the integrity and security of processes and information.
Review of User Requirements (URS)
- User Requirements Specification (URS): Verify that the user requirements are documented clearly, comprehensively, and accurately. The URS should detail all functionalities and requirements that the system needs to have to adequately meet operational and quality requirements, including acceptance criteria and functional expectations.
Validation Plan and Standard Operating Procedures (SOP)
- Validation Plan: The system’s validation plan must be up-to-date and reflect the entire system lifecycle, from conception to decommissioning. It should include qualification protocols (IQ, OQ, PQ), as well as checks on security, performance, and data integrity.
- Standard Operating Procedures (SOP): SOPs related to the use, maintenance, and control of systems and electronic spreadsheets must be reviewed periodically and updated as necessary. They should cover everything from daily use to corrective measures, change control, and contingency in case of failures.
Qualification Models: IQ, OQ, and PQ
- Installation Qualification (IQ): Verify that the system installation was performed according to specifications and is properly documented. The IQ should ensure that all system components have been installed correctly.
- Operational Qualification (OQ): Ensure that the system operates according to the requirements defined in the URS, conducting comprehensive functional tests and performance checks to ensure its functionality.
- Performance Qualification (PQ): Assess whether the system is capable of operating according to the defined performance parameters under normal operating conditions, simulating the production environment.
Periodic System Review
- Maintenance and Periodic Review: Computerized systems and electronic spreadsheets must undergo periodic reviews to verify that they continue to comply with regulatory and operational requirements. The reviews should include checks on performance, security, efficiency, and ongoing compliance with standards and regulations, as well as ensuring that any failures are corrected.
Inventory of Systems and Electronic Spreadsheets
- Complete Inventory: Maintain an up-to-date inventory of all systems and spreadsheets in use, with details such as installation date, validation status, and any significant changes made. The inventory should be reviewed regularly and include a description of each system’s critical functions.
- Spreadsheet Control SOP: Ensure that there is a specific Standard Operating Procedure for managing electronic spreadsheets, covering their validation, version control, and change traceability, to ensure data integrity.
Cybersecurity Requirements
- Cybersecurity Plan: Verify that computerized systems meet cybersecurity requirements, including the implementation of robust access control policies, multi-factor authentication (MFA), data encryption, and security monitoring. Regular audits should be conducted to ensure that systems are protected against internal and external threats.
- ANVISA Cybersecurity Standards: Ensure that the system complies with applicable information security standards in Brazil, such as ANVISA’s IN 134, focusing on the protection of data integrity, confidentiality, and availability.
IT Infrastructure Qualification
- Infrastructure Qualification (IQ): Verify that the entire IT infrastructure associated with the system, including servers, network, storage, and security components, has been properly qualified. The qualification should follow best practice standards, ensuring that the infrastructure supports the systems efficiently and securely.
- Backup and Restore: Systems and spreadsheets must have a documented and structured backup plan, and periodic backup and restore tests should be conducted to ensure that data can be correctly restored without loss of integrity.
- Disaster Recovery Plan: The recovery plan must be formally documented and aligned with business continuity requirements, allowing the company to quickly restore critical systems in case of failure or disaster.
Backup and Disaster Recovery
- Backup Plan: Verify that there is a well-documented backup plan, which includes regular and automated procedures to protect critical data, ensuring that all backups are tested periodically.
- Disaster Recovery Plan: Confirm that the disaster recovery plan has been recently tested, to ensure that critical systems can be restored within acceptable timeframes in case of serious failure or disaster.
Example of General Checklist – Audit of Systems, Spreadsheets, and Cybersecurity
| Requirements | Verification |
|---|---|
| Is there a documented model of the User Requirements Specification (URS) document, formally approved by all stakeholders, and clearly reflecting the implemented systems? | [ ] Yes [ ] No |
| Is there a Validation Plan that covers all phases of the system lifecycle, from conception, validation stages, lifecycle, to decommissioning? | [ ] Yes [ ] No |
| Are there templates of the Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) documents for all systems? | [ ] Yes [ ] No |
| Is the periodic review plan implemented, ensuring the continuous compliance of systems and spreadsheets with regulatory requirements? | [ ] Yes [ ] No |
| Were validation tests documented according to the system lifecycle? | [ ] Yes [ ] No |
| Was risk management applied throughout the system lifecycle, including patient safety and data integrity? | [ ] Yes [ ] No |
| Were decisions about validation and data integrity based on documented risk assessments? | [ ] Yes [ ] No |
| Have the competence and reliability of system suppliers been verified through audits or risk assessments? Are there contracts and SLAs established with suppliers and service providers clearly defining their responsibilities? | [ ] Yes [ ] No |
| Is there an up-to-date inventory of all relevant systems, including their critical functionalities, available for inspection upon request? | [ ] Yes [ ] No |
| Is there a documented backup plan, and are backups performed periodically? | [ ] Yes [ ] No |
| Has the integrity of backup data and restoration capability been verified and tested regularly? | [ ] Yes [ ] No |
| Are audit trails implemented and document relevant changes and deletions, and are they reviewed regularly to ensure their integrity? | [ ] Yes [ ] No |
| Is access to computerized systems restricted to authorized personnel and protected by secure authentication? | [ ] Yes [ ] No |
| Have measures such as password control, biometrics, or access cards been implemented to prevent unauthorized access? | [ ] Yes [ ] No |
| Are there documented contingency plans to ensure continuity of operations in case of system failure? | [ ] Yes [ ] No |
| Have alternative measures for business continuity been tested? | [ ] Yes [ ] No |
| Are threat monitoring policies, data encryption, and multi-factor authentication implemented? | [ ] Yes [ ] No |
| Have all electronic spreadsheets used in critical processes been validated? | [ ] Yes [ ] No |
| Do the spreadsheets have version control and protection against unauthorized changes? | [ ] Yes [ ] No |
| Is there a specific Standard Operating Procedure (SOP) for the use and control of electronic spreadsheets, including validation, version control, and change traceability? | [ ] Yes [ ] No |
| Are all electronic, hybrid, and manual records complete, consistent, and protected against unauthorized changes, following ALCOA+ principles? | [ ] Yes [ ] No |
| Is there full traceability of changes in electronic, hybrid, and manual records? | [ ] Yes [ ] No |
Observations:
The audit of computerized systems in the pharmaceutical industry is a critical process to ensure compliance with technical regulations such as GAMP 5, 21 CFR Part 11, and national guidelines like ANVISA’s IN 134 and Guide 33. These regulations establish strict requirements for continuous validation, infrastructure qualification, and risk management, aiming to ensure data integrity, information security, and traceability throughout the entire system lifecycle. The application of structured validation processes, including IT infrastructure qualification and the implementation of audit trails, enables effective monitoring of all critical changes in the system, ensuring compliance with Good Manufacturing Practices.
Efficient management of suppliers and third parties, supported by well-defined contracts, ensures that technical competence is maintained in all phases of system development and operation. Additionally, the validation of electronic spreadsheets used in critical processes, along with the existence of documented backup and disaster recovery plans, ensures operational resilience and business continuity. Cybersecurity requirements, as specified in international standards like ISO/IEC 27001, are essential to protect systems against threats and unauthorized access. This includes the implementation of access controls, data encryption, and continuous monitoring.
Finally, a systematic approach that encompasses data integrity, access security, change traceability, and compliance with regulatory requirements is fundamental to ensure the reliability and compliance of computerized systems. This promotes product integrity and ensures patient safety in the pharmaceutical sector.
REFERENCES
- GAMP 5 (Good Automated Manufacturing Practice): A Risk-Based Approach to Compliant GxP Computerized Systems, which provides guidelines for the validation of computerized systems in regulated environments.
- 21 CFR Part 11: Electronic Records; Electronic Signatures, which regulates the use of electronic records and signatures by the FDA to ensure data integrity, authenticity, and security.
- ANVISA’s IN 134: Normative Instruction No. 134, which provides for Good Manufacturing Practices complementary to computerized systems used in the manufacture of medicines.
- ANVISA’s Guide 33: Guide for Computerized Systems Validation, which establishes guidelines for the validation and control of computerized systems in the pharmaceutical industry.
- ISO/IEC 27001: Information Security Management Systems – Requirements, an international standard that defines the requirements for an information security management system.