CSV FDA Warning Letters : Security

Date: 16 April 2007
Link: FDA Warning Letter (New Window)

Observation

6. Appropriate controls are not exercised over computers or related systems to assure that changes in analytical methods or other control records are instituted only by authorized personnel [21 CFR 211.68(b)]. Specifically,
a) There was a failure to validate the [redacted] software to assure that all data generated by the system was secure. This software runs the laboratory HPLC equipment, generates and stores data, and performs calculations during testing of raw materials, in-process materials, finished products, and stability samples.
b) User access levels for the [redacted] software were not established and documented. Currently, laboratory personnel use a common password to gain access to the system and there are no user access level restrictions for deleting or modifying data. Furthermore, your system does not have an audit trail to document changes.

Comment

This is a similar observation to CSV FDA Warning Letters : Security in that the integrity of the record and the associated security was not considered at the time of the planning and installation of the system.

A Good Electronic Records Management (GERM) procedure with a risk based approach to ensure the integrity of records within the system should be deployed by the regulated company. A policy for managing user access to systems and verification of the security during Installation Qualification is critical to the validation process.