CSV FDA Warning Letters : Audit Trail

Date: 14 January 2010
Link: FDA Warning Letter (New Window)

Observation

6. Your firm has not exercised appropriate controls over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel [21 CFR 211.68(b)].

For example, your firm lacks systems to ensure that all electronic data generated in your Quality Control laboratory is secure and remains unaltered. All analysts have system administrator privileges that allow them to modify, overwrite, and delete original raw data files on the (b)(4) used (b)(4) in the High Performance Liquid Chromatography (HPLC) units. There are no procedures that address the security measures in place for generation and modification of electronic data files for these instruments used for raw material, in-process, finished product and stability testing. In addition, your firm's review of laboratory data does not include a review of an audit trail or revision history to determine if unapproved changes have been made.

Your September 17, 2009 response states that you replaced the (b)(4) HPLC systems operating on (b)(4) software with (b)(4) new qualified HPLC units from (b)(4) software. This validation information will be reviewed at the next inspection. In addition, your response is inadequate because it lacks a retrospective evaluation of the data from the former HPLC units. This will prevent an alteration of data prior to implementation of your corrective actions. Further, your response does not address security procedures to ensure that the data generated using the new HPLC units is secure and remains unaltered.

Comment

Again this post cites 21 CFR 211.68 although it could easily be a reference a violation of 21 CFR Part 11.

While the FDA has stated in the 21 CFR Part 11 Guidance to Industry that enforcement discression would be shown in the implimentation of audit trails the agency has shown through a number of warning letters that the regulated company must be able to demonstrate the integrity of the electronic record, both through the use of security measures and audit trails.

It appears that the agency is using 21 CFR 211 with guidance from 21 CFR Part 11 to drive the violations within the 483 Warning Letters.

An audit trail is a key function to ensuring the integrity of the electronic record and raw data. The audit trail requirements are detailed clearly within 21 CFR Part 11.

It is also clearly (from this observation) that having an audit trail is not enough, a process is required to ensure the data integrity through security procedures and review of the audit trail.

This requirement to review the audit trail needs to be carefully considered. Having a sweeping policy to review all audit trails routinely will be extremely labour intesive. A risk assessment considering access to the system, a process for ensuring critical parameters are not changed and a level of audit trail review may prove to be the most efficient, cost effective way of achieving compliance.