Business Intelligence and 21 CFR Part 11 Compliance

J

JohnO

Hello,

I jumped over the wall a few years back, and instead of being a "user" I now deploy and support QMS related IT systems for a living. My business partners and I have a conversation going regarding direct database access to systems that are Part11 in nature. My teams "IT stance" (for many sorted IT reasons) is to build a data warehouse with limited views, proper access and controls, validate the nature of those feeds if they're being used to make quality related decisions, and employ IS change control to dial in additional requirements over time. Theirs is wanting direct access to the data in real time due to the speed of immediate needs, and wanting to be able to see everything (including things they cannot anticipate or currently socialize).

I recognize that speed, change and compliance don't always go hand and hand, but I see their concern, and I want to give them the right balance of all without giving the keys away.

Are there any regulations that speak to IT systems, and accessing data directly from a database, instead of through some deployed solution / computer systems validation? From an IT perspective, I'd worry about access to data from the back end that is not granted permission from the front, sensitive data access, unvalidated access for validated needs, system security, audit trails, and potential risks if there proved to be any security holes that allowed for above-read access, or access to something more than transactions / master data (e.g. passwords).

I'm wondering if my concerns are echoed in rules or guidance for ISO, the FDA, or other regulations for which I'm accountable.

Thanks for the advice,

- JO
 

yodon

Leader
Super Moderator
HIPAA (US) and GDPR (EU) jump to mind. On the standards side, maybe ISO 27001.

California is apparently instituting legislation similar to GDPR.

Obviously any changes through direct access would likely break the audit trail.
 
Top Bottom