Post MHRA inspection comments- computer systems

[RR1]

Here goes, some more of my non-conformances related to online activity of suppliers/ support software companies in relation to our LIMS and our Analyser.

1. Due to the explicit trust placed in service contractors, the site were not aware of the nature of changes made to their computerised systems following service provider interventions as evidenced by:

a) The LIMS software change on xxx 2009 to resolve an issue involving the status and availability of a unit.

The analyser storage issue identified on xxxx 2009 where (the supplier) during an online connection were reported to have “deleted data to free spaceâ€.

The site were not aware in both cases during the online access sessions granted if the service provider had applied software changes, adulterated patient or system records, modified configuration settings or other unspecified actions

All discussions would be very welcome!

[jayjay]

Who is your LIMS provider? Dialling in as a very difficult area to control. Any changes/upgrades should come with the full paper work, be validated in the training database before being uploaded into the live database. Ideal world scenario!!

[RR1]

Who is your LIMS provider? Dialling in as a very difficult area to control. Any changes/upgrades should come with the full paper work, be validated in the training database before being uploaded into the live database. Ideal world scenario!!

For my analyser I have got the company to ensure they give a full electronic report post-dialling in , so we can check things. I think we will have to ensure that this is in the contract with them or set up a technical agreement to this effect.

For my LIMS system, this comment referred to a unit of blood that was 'locked' by the system and could only be unlocked by the company. I think a similar arrangement will need to be set up with them too, to state responsibilities and communication etc.

The good thing is I am not taking responsibility in answering the above non-conformances......have delegated to higher powers to sort out.

[RR1]

would it be correct to assume that ALL IT systems that affect the blood bank should have similar access controls, post service checks, disaster recoverability checks etc. This would include any document control systems and most importantly the hospital system where specific 'work areas' store forms, reports, inspection reports, BCR's documents??

Also would this include DATIX?

[jayjay]

Again I would say keep it simple. If DATIX is your primary incident management system then it will need to be treated the same as the LIMS in terms of validation, upgrades etc. As most transfusion labs do not have control over DATIX and other staff can alter information I would not use as the primary system. Yes clinical incidents should be reported to DATIX and others if you so desire but you will still need to keep records for 15 years so think carefully

[RR1]

Thanks Joan,

Datix isn't my primary system but my incident logs and spreadsheets are kept on the shared drive of the hospital server, So I presume the hospital computer system/ intranet should be managed securely.

[Malcolm Needs ☆]

Never presume; always make certain!

[RR1]

Does anyone suspect that hospital/ Path IT folk have not really bought in to this quality stuff- and that may be the MHRA should issue a guidance note of expectations for managing IT systems?

Over the year I have forwarded VMP, change control, draft annex 11,PICs guidelines for IT systems etc- but i'm not getting an enthusistic response (surprisingly!!), it's as though path IT folk thing the BSQR does not apply to them, and I have also seen this in a few other hospitals too.....is this frustrating everyone else too?

[bmsjbatt]

Are your PATH IT people Pathology staff with an IT interest? or IT people working in the PATH environment, if they are the latter start talking to them about ITIL best practice as much of the BSQR stuff relating to IT validation is based on ITIL service managment acceptance criteria. and they should be working to ITIL standards as it is an NHS preferred way of operating.

[RR1]

Hi Jo, thanks for the info, the folks I have spoken to are dedicated Path IT staff so they should be following the BSQR/GMP requirements and are aware of current risks of non-compliance regarding management of the LIMS. I just feel there is a lack of even wanting to understand the correct approach to upgrading,checking and maintaining systems properly.

From what I have just been reading about ITIL, this is just good practice rather than a mandatory requirement, so if MHRA inspections can't improve buy-in from these folk then nothing else will !! The MHRA should be fine tuning their inspections to concentrate on these issues and this could also be helped by asking more in depth questions on the next BCR ( I could easily think of a good 10-20 questions I would quite like answered myself!!).

As usual- these things are sent to try us!!

Edited September 15, 2010 by RR1

[bmsjbatt]

Indeed, I sympathise with you on this, however do you not get any support from clinical director / Exec team, as they are ultimately responsible for MHRA failures and must answer to the DOH if things are not done properly? so maybe you need them to "order" your IT bods to do things properly and not in a half-arsed way.

Not saying this is the solution to all your problems, but if a sideways / bottom - up approach isn't working for you, maybe you need a top down approach.

best wishes

Jo

[Eoin]

Hi Folks,

CFR21 Part 11 is the regulation applying in the states. It has points worth thinking about. Also http://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM070266.pdf points you to Guidance for Industry -Computerised systems used in Clinical Investigations. Again there is food for thought there. I just make sure that our IT system complies with requirements of - in our case ISO:15189, but I do check back-up for recovery from disaster on a quarterly basis. Back-up incidentally is on a remote site. It is also backed up locally on a B/U server for ease of upload if required. Then we have the Data Privacy Act to comply with - all in all a nightmare area to get into. I have any requirements spelt out in the SLA with the IT department, but checks of compliance have to be done by the user department. OOOH, it's Friday afternoon & just thinking of all that gives me a headache.

Cheers

Eoin

[RR1]

Thanks Jo and Eoin, unfortunately at some sites to get the message to the right people has to be through formal channels of escalation- otherwise this can re-bound in a very negative way, and can certainly damage relations in trying to establish trust between between lab/management .These problems are however made even more difficult when senior lab management perceive escalation as being "threatened" or when something is escalated- they tell you to sort it out yourself!

Anyway- has anyone actually been specifically cited by MHRA for not having SLA with IT depts etc? As my quality/IT folk are not aware of any specific non-compliances being raised around our local hospitals they are not going to address this.

[bmsjbatt]

Bump.

We have recently received notice regarding IT systems, and had to supply details of trust / IT technical agreement, mainly dealing with disater recovery and ability to access legacy systems / archives, but also with regard to IT failing to supply the department with change control notifications prior to carrying out a programme of hardware refresh.

Jo

[jayjay]

Bump.

We have recently received notice regarding IT systems, and had to supply details of trust / IT technical agreement, mainly dealing with disater recovery and ability to access legacy systems / archives, but also with regard to IT failing to supply the department with change control notifications prior to carrying out a programme of hardware refresh.

Jo

I think you will find that many questions are raised over IT issues as this appears to be an area which is not well managed as it often involves more that the transfusion laboratory