can signify shared credentials.

Inconsistent Batch Records: Discrepancies in batch records that cannot be traced to individual users raise red flags.

Increased Deviations: A surge in deviations or non-conformances related to access and usage of controlled systems.

Internal Audit Findings: Reports from audits indicating non-compliance with GDP and ALCOA+ principles.

These symptoms can serve as signals prompting deeper investigations into the security and integrity of data management practices within your organization.

Likely Causes

When assessing shared user credentials during internal audits, it is important to categorize potential causes using the six M’s model: Materials, Method, Machine, Man, Measurement, and Environment.

• Materials: Poorly-defined policies and procedures on data access and user roles.
• Method: Lack of standardized practices for user authentication and monitoring, leading to shared logins.
• Machine: Outdated or improperly configured systems that do not track user activity effectively.
• Man: A culture of noncompliance or misunderstanding among staff regarding regulatory requirements.
• Measurement: Inadequate metrics and KPIs that fail to highlight or penalize non-compliant behaviors.
• Environment: Insufficient training programs on the importance of data integrity and the risks associated with shared credentials.

Immediate Containment Actions (first 60 minutes)

Upon identifying potential instances of shared user credentials, immediate containment actions must be initiated:

• Secure Evidence: Immediately secure access logs and any relevant documentation for review.
• Temporarily Disable Accounts: If possible, disable accounts that are suspected to be shared to prevent further misuse.
• Notify Key Stakeholders: Inform QA and regulatory affairs teams to initiate a coordinated response.
• Conduct Initial Interviews: Speak with affected personnel to understand the scope of shared access.

Acting quickly can mitigate risks and prevent situations from escalating into serious compliance issues.

Investigation Workflow (data to collect + how to interpret)

The investigation process requires methodical data collection and assessment:

• Collect Access Logs: Gather user activity logs across relevant systems to identify sharing patterns.
• Review Batch Documentation: Analyze batch records for irregularities linked to shared credentials.
• Evaluate Training Records: Assess whether personnel have received adequate training on data integrity and the importance of individual access.
• Document Interviews: Keep thorough records of conversations with personnel to capture their understanding of access protocols.

Interpreting this data will help identify the degree of the issue and whether systemic changes are required to comply with regulatory standards.

Root Cause Tools (5-Why, Fishbone, Fault Tree) and When to Use Which

Implementing root cause analysis is critical to fully understanding the issues surrounding shared credentials. Here are effective tools:

• 5-Why Analysis: This tool helps dig deep into the cause-and-effect chain leading to shared credentials. Start with “Why did this happen?” and follow up with additional why questions to trace back to core issues. This is especially effective for repetitive problems.
• Fishbone Diagram: A visual representation that categorizes potential causes related to shared credentials. This approach can engage teams during brainstorming sessions and reveals contributory factors across multiple categories.
• Fault Tree Analysis: Used to identify the paths and combinations of failures that can lead to a shared credential scenario. Best suited for complex issues with multiple contributing factors.

Select the analysis tool based on the specific situation: for quick, straightforward issues, 5-Why is ideal, while more complex situations could benefit from a Fishbone or Fault Tree analysis.

CAPA Strategy (correction, corrective action, preventive action)

A robust Corrective and Preventive Action (CAPA) strategy is essential to address the findings effectively:

• Correction: Immediately correct any identified misuse of credentials and enforce user-specific logins.
• Corrective Action: Revise policies to prohibit shared credentials, and improve training to ensure that staff understands regulatory requirements related to data integrity.
• Preventive Action: Regular audits and ongoing monitoring of user access patterns should be instituted, alongside stronger user authentication measures.

The CAPA strategy should be well-documented and linked to the investigation workflow, ensuring that actions taken are transparent and reproducible.

Control Strategy & Monitoring (SPC/trending, sampling, alarms, verification)

Effective control mechanisms must be established to monitor potential risks associated with shared credentials.

• Statistical Process Control (SPC): Implement SPC techniques to track user access patterns and deviations over time.
• Sampling Techniques: Regularly sample records to verify individual user logins and detect any anomalies.
• Alarms and Alerts: Set up automated alerts for multiple logins from a single account within a defined time frame, enhancing real-time monitoring.
• Verification Processes: Conduct routine reviews of system access and ensure compliance with established policies.

A robust control strategy minimizes the occurrence of shared credentials and fosters a culture of accountability.

Validation / Re-qualification / Change Control Impact (when needed)

Introducing changes to user access protocols may necessitate validation or re-qualification of systems:

Related Reads

• Mastering Good Laboratory Practices (GLP) in Pharma: Ensuring Data Integrity and Compliance
• Ensuring EHS Regulatory Compliance in Pharmaceutical Manufacturing

• Validation Needs: Any changes must comply with validation standards, ensuring that systems adequately restrict and record user access.
• Re-qualification: High-risk areas should undergo re-qualification following the implementation of stricter controls to ensure they remain within compliant operations.
• Change Control Procedures: Utilize established change control documentation to manage lifecycle changes related to user access policies.

Understanding when validation is required is essential to ensure that operational changes do not compromise data integrity.

Inspection Readiness: What Evidence to Show

Maintaining inspection readiness is crucial for regulatory compliance. Key evidence to demonstrate includes:

• Access Logs: Keep comprehensive and detailed access logs that are routinely reviewed for irregularities.
• Training Records: Document training sessions that cover data integrity principles and user access management.
• CAPA Documentation: Provide thorough documentation of CAPA activities, including identified problems, actions taken, and future preventive measures.
• Batch Records: Ensure that batch records reflect individual user logins and actions to demonstrate compliance with GDP principles.

Having this information readily available supports your case during inspections and reinforces your commitment to data integrity.

FAQs

What are shared user credentials?

Shared user credentials refer to the practice of multiple individuals using the same login information to access systems, which can compromise data integrity and accountability.

Why is it a compliance risk?

Shared credentials pose a significant risk to compliance as they prevent accurate traceability of actions and may lead to unauthorized data changes.

How can I secure user access?

Implementing unique user credentials for each individual and monitoring their access activity can significantly improve system security.

What is the role of CAPA in this scenario?

CAPA helps identify and rectify issues related to shared credentials and prevent future occurrences by implementing robust corrective actions.

What training should be provided to staff?

Staff should receive comprehensive training on the importance of data integrity, regulatory requirements, and the risks associated with shared credentials.

How often should audits be conducted?

Regular audits should be conducted at least quarterly to monitor access patterns and ensure ongoing compliance with data integrity standards.

What regulatory bodies provide guidelines on this topic?

The FDA, EMA, and MHRA offer extensive guidelines regarding data integrity and access management that should be adhered to for compliance.

How can we ensure records are audit-ready?

Sustaining thorough, organized, and contemporaneous records can ensure that they are readily available and compliant during audits or inspections.

Can shared credentials ever be acceptable?

Shared credentials are generally not acceptable in regulated environments, as they undermine data integrity principles outlined by regulatory authorities.

What documentation is crucial during an internal audit?

Essential documentation includes access logs, training records, CAPA documentation, and batch records demonstrating proper data management practices.

How do we communicate changes to user access protocols?

Providing formal notifications, training sessions, and clear updates to standard operating procedures (SOPs) can effectively communicate any changes to protocols.

What immediate actions should be taken upon discovery of shared credentials?

Immediate actions include securing access logs, notifying stakeholders, disabling suspicious accounts, and conducting initial staff interviews.