By:  Mark Newton, Associate Sr. Consultant – QA, Global Quality Laboratories for Eli Lilly and Company

Previously we discussed the importance of selecting the right person as your administrator to assure objectivity and conformance to procedures in practice.  This blog continues with another potential issue for instruments with attached PC controlling software: the administrator who is also a user.  This includes COTS software designed so the administrator has access to all capabilities of the software—a “super user”.

This brings two issues:

  1. The administrator can create/modify an account AND use it to do anything to test data that is permitted by the software
  2. The administrator may have access to functions for which they lack education or training

Issue #1 can be problematic for most systems.  Anytime an administrator can create an account, give it access rights, then use it to access test data using the software (or even the operating system), there is potential for data corruption.  The primary defense is selecting an administrator with no personal interest in the users or system-generated data—they can be objective, as discussed in the Your Administrator blog post.

Issue #2 is problematic when software gives an administrator access to testing functions and this access cannot be disabled.  The only recourse is procedural control and training — “thou shall not use these functions”—along with periodic checks to verify the administrator is not performing unauthorized actions.  Another approach is to create two accounts for this person – one as the administrator and another as a user.  Neither of these is as effective as technical controls – prevention is better than detection.  It is strongly advised that you NOT select a person with technical knowledge of the instrument as your administrator —this puts the administrator in a potential conflict of interest where they could be pressured to use their access to change test data.  If the administrator cannot be trusted to protect data integrity, then can anything from the instrument be trusted?

To avoid these issues, stop!  Stop purchasing instruments that give an administrator access to testing functions.  If you already own one, use all of the capabilities provided in the software to restrict the administrator’s access to any features beyond account management (and possibly configuration controls) and limit the administrator to account management in your instrument setup, your procedures and training materials.

Pick your administrator carefully—they protect the integrity of your electronic records.

Review part 1 of this GAMP series:  Your Administrator.

Are you looking for a hands-on approach for identifying, mitigating, and remediating potential causes of breaches in data integrity?

Don’t miss this special half-day Data Integrity Workshop focused on key data integrity issues facing the pharmaceutical product lifecycle. This interactive workshop will identify important regulatory issues impacting data integrity, answer key questions surrounding current expectations, and provide an overview of the Application Integrity Policy.  Learn more about the Data Integrity Workshop and how to register.