Preparing your Pharmaceuticals business for an MHRA inspection is always a stressful time, and many business owners we work with in pharmaceuticals and life sciences often ask for my advice in relation to computer systems issues that may come under the microscope during an inspection.
One of the common themes that is examined is around backup and disaster recovery of computer systems, so today I thought it would be useful to share a few key points about this important topic for MHRA compliance.
Backups form a key component in the day-to-day running of any IT system. There are a variety of different types of backup, such as backups to the cloud, backups to removable media and real-time replication to other servers.
It is important to realise that different types of backups are useful in different scenarios, and so more than one type may need to be employed to give you full resilience. For example, cloud backups are a useful way of keeping a copy of your data offsite, which provides for extra protection in the event of a disaster on your premises, which might wipe out locally held backups as well as the live servers. On the other hand, removable media provides a very useful form of backup as it is held off-line and therefore can’t be attacked by cyber security threats such as ransomware. Offline backups can also be useful to facilitate fast restoration, since you do not need to pull the data back over the Internet.
Real-time replication to another server works well when no downtime can be tolerated, but bear in mind if a corruption or accidental deletion of a file occurs, that this will be replicated in real-time to the backup server too.
So there are a number of considerations to any company’s backup strategy and it may well be appropriate to employ different solutions for different applications or servers.
Full disaster recovery is something else that may come under the spotlight in an MHRA inspection, so it is well worth being prepared for questions. The first key consideration here is how long could you live for without each of your IT systems and data? This is likely to vary from system to system, for example you may be able to tolerate no downtime on your email server, but it may be acceptable for an archived projects folder to be restored within 72 hours. So your plan needs to go through each system you use, considering how long you could live without it. The second key consideration is around data loss. Again for each system you need to be clear how much data loss, if any, would be acceptable and tailor your disaster recovery systems accordingly. If no data loss is acceptable, then a real-time replication solution should be considered. Whilst if some data loss is acceptable in a disaster scenario, then you may be able to live with backups that run daily or hourly.
Finally, never underestimate the importance of having a written disaster recovery plan and having tested it on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. So regular testing is paramount, bearing in mind that your IT systems are constantly evolving and being updated.
I hope this gives you some key pointers for preparing your IT systems for an MHRA inspection, from a backup and disaster recovery perspective. If you need help preparing for an MHRA inspection, or indeed with any element of your IT system, please do not hesitate to contact me on (01494) 444065 or email Gary.Swanwick@epoq-it.co.uk, when I will be pleased to help.