CSV FDA Warning Letters : Laboratory Systems Security

Date: 20 April 2010
Link: FDA Warning Letter (New Window)

Observation

This is a follow up letter from an inspection in 2009 where the security of laboratory systems had been raised within the FDA 483.

6. Your firm has failed to exercise appropriate controls over computer or related systems to assure that changes in master production and control records, or other records, are instituted only by authorized personnel [21 C.F.R § 211.68(b)].

a) Your firm's laboratory analysts have the ability to access and delete raw chromatographic data located on the (b)(4) of (b)(4) used to conduct HPLC testing. Due to this unrestrictive access, there is no assurance that laboratory records and raw data are accurate and valid.

b) Your firm's laboratory analysts have the ability to access and modify the formulas in the Excel spreadsheets used to calculate assay results for Guaifenesin and (b)(4) drug products. Due to this unrestricted access, there is no assurance that the formulas in the Excel spreadsheets are accurate and valid.

Your response appears to be adequate, but the effectiveness of the security features on your laboratory equipment will be verified at the next inspection.

Comment

This is a regular theme that pharmaceutical companies fail to have appropriate security controls over laboratory equipment. This again links with the approach in 2009 not to cite against 21 CFR Part 11 but against 21 CFR 211. As discussed in a previous post  the FDA are planning to perform investigations against 21 CFR Part 11.

In part (a) of the observation the requirement is to ensure that users of laboratory systems do not have access to the operating system, to ensure that the raw data is secure.

In part (b) is is interesting that spreadsheets get a direct mention in the observation. Security controls over the spreadsheets should be employed to ensure that the formulas within them cannot be modified (either accidently or maliciously). A general rule should be to avoid using spreadsheets as much as possible, but where they are used they must be controlled and validated (see Spreadsheet Validation post).

As part of an inspection readiness program or periodic review a review of security controls within the laboratory areas should be performed. Ensure that controls are in place and that they are followed. Technical controls must be in place to ensure that users of the system do not have access to the operating system which would give them in turn access to the electronic records.

Comments are always welcome.