OBJECTIVE:

• To define the documented and controlled procedure for recovery and restoration of GMP-relevant computerized systems following any disaster or system failure, ensuring data integrity, traceability, business continuity, and compliance with WHO TRS / EU GMP Annex 11 and Annex 15.

SCOPE:

• It shall be Applied to:
  • • All GMP-critical computerized systems and associated databases.
    • Data residing on servers, validated local PCs, network drives, and approved cloud storage.
    • Disasters or incidents including power loss, cyber-attack, fire, flood, hardware/software failure, or any event impacting data availability or integrity.

RESPONSIBILITIES:

Head Information Technology (IT) /Designee Quality Assurance:

• Shall responsible for maintaining the current version of the Disaster Recovery Plan.
• Shall ensure that all backups and restoration processes are validated and verified.
• Shall lead the disaster recovery execution coordinate with system owners and verify that all system access controls and password policies remain intact after restoration.

Head Quality Assurance (QA):

• Shall responsible for reviewing and approving the Disaster Recovery Plan and all periodic revisions.
• QA shall verify the integrity and continuity of data and audit trails following system restoration, approve all deviations and CAPA reports raised during or after the recovery process.
• Shall participate in the periodic risk assessments and mock recovery drills to confirm the system’s continued compliance with regulatory requirements.

System Owners (QC, Production, and Engineering systems):

• Shall responsible for identifying all critical data within their respective systems,
• Defining appropriate backup frequency,
• Verifying the accuracy and functionality of the restored systems.
• They must ensure that post-restoration verification results are documented and communicated to QA for review and approval.

All Users:

• Shall responsible for promptly reporting any system malfunction or data-access issue to IT and QA.
• Users must refrain from performing any unauthorized recovery activity and follow the defined communication and escalation matrix at all times.

 DEFINATIONS:

• Disaster Recovery Plan (DRP): Planned process to recover systems ensuring data availability and integrity.
•  Backup: Secure, verified copy of data retained at designated on-site/off-site or cloud location.
•  Uninterruptible Power Supply / Disel Generator (UPS/DG): Power-backup systems maintaining continuous operation.

PROCEDURE:

Incident Identification:

• Any system alarm, data-loss notification, or user report shall be escalated to IT and QA within 30 minutes.
• QA raises a Deviation Report and assesses impact on data integrity.

Activation of Power Backup:

• Disel Generator shall support extended outages of power.
• Continuous power to servers, stability chambers, and network switches shall be verified.

Data Backup and Restoration:

• Most recent qualified backup (on-site/off-site/cloud) shall be retrieved.
• Restoration to validated server/hardware following the Restoration Checklist shall perform.
• Restoration activities shall be documented in Disaster Recovery Logbook.
• File integrity via checksum, file-count, and log review shall verify.

Post-Restore Verification:

• QA and System Owner shall verify and confirm jointly:
  • • Successful system login/authentication.
    • Random record comparison between live and backup data.
    • Audit-trail continuity.
    • Instrument/network connectivity.
    • Electronic-signature validity (where applicable). If discrepancies arise, Deviation shall be raised and appropriate Corrective and Preventive Action (CAPA) shall be taken.

Risk Assessment and Preventive Actions:

• Each GMP system shall have a Risk Assessment Form identifying potential failure modes and mitigation controls.
• Critical systems shall be prioritized in DRP sequence.

Documentation and Record Retention:

• DRP Execution Form with screenshots and verification evidence shall be completed.
• All DRP records, backups, deviation/CAPA logs, and mock-drill reports for minimum 5 years or system lifecycle + 1 year, whichever is longer shall be retained.

Mock Testing and Training:

• IT shall perform mock disaster recovery drill once in a year.
• QA shall review and approve the reports of mock disaster recovery drill.
• Annual DRP training shall be conducted for all users and new joiners.

Business Continuity Linkage:

• DRP shall interface with Site Business Continuity Plan (BCP) to ensure uninterrupted GMP operations.
• Critical contact list and communication flow maintained in both DRP and BCP.

REFERENCE:

• EU GMP Vol. 4 Annex 11 – Computerized Systems:
• EU GMP Part I – Chapter 4 (Documentation)
• Annex 15 – Qualification and Validation Principles
• GMP 5 – Risk-Based Approach to Computerized System Validation

RECORDS:

 REVISION HISTORY: