CSV FDA Warning Letter : Security Controls

Date: 14 Jan 2008
Link: FDA Warning Letter (New Window)

Observation

3. Failure to have a validated and secure computerized system. Additionally, there were no written protocols to assign levels of responsibilities for the system.

It was noted that the [redacted] instrument model [redacted] used for the analysis of [redacted] failed to have password control for the analysts and the supervisor. It was observed that the data stored on the computer can be deleted, removed, transferred, renamed or altered.

While your firm's management stated that they would like to implement certain improvements in order to establish a security system, no documentation or commitment has been provided.

Please note that computerized systems should have sufficient controls to prevent unauthorized access or changes to data. There should be controls to prevent data omissions and assure back-up. There should be a record of any data change made, the previous entry, who made the change, and when the change was made.

Comment

This is a clear observation against 21 CFR part 11. The 21 CFR part 11 observation identifies the following flaws in the management of electronic records and raw data

• Validation of the Computer System (21 CFR part 11.10(a))
• Security management (control of access 21 CFR part 11.10(d))
• Failure to protect records (21 CFR part 11.10(c))

Compliance with 21 CFR part 11 should remain a priority for regulated companies, the challenge is to develop processes that ensure the integrity of the record and data that does not provide excessive overhead to the regulated company.

The regulated company must define its approach to electronic records including.

• Validation
• Audit trails
• Security (including techincal and procedural controls)
• Retention of Electronic Records and Raw Data
• Backup and Archiving

The article Electronic Records provides an introduction to implimenting a risk based approach to Good Electronic Record Management.