If you find the information within this blog useful please take the time to support the site and visit one of the Google advertisers.


10 Apr 2012

FDA Warning Letter - Raw Data

Date: 23 February 2012
Link FDA 483 (New Window)


4. Your firm has not established appropriate controls over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel. Your firm also fails to maintain a backup file of data entered into the computer or related system [21 CFR § 211.68(b)].

For example,

a) There is no system in place to ensure that all electronic raw data from the laboratory is backed up and/or retained.

During the inspection, you informed our investigators that electronic raw data would not exist for most HPLC assays over two years old because data is not backed up and storage space is limited.

Data is deleted to make space for the most recent test results. You also informed our investigators that printed copies of HPLC test results are treated as raw data.

Printed copies of HPLC test results from your firm’s systems do not contain all of the analytical metadata (for example: instrument conditions, integration parameters) that is considered part of the raw data. We acknowledge that your response indicates that you have created a procedure in order to implement the back-up and retention of HPLC data. This electronic HPLC data supports testing, disposition, and other significant quality control decisions, and it is essential that you maintain this information for each batch. In your response, please provide a detailed update on your firm’s implementation of this correction. Also describe your firm’s policy for retaining HPLC raw electronic data associated with pending applications.

b) You have not implemented security control of laboratory electronic data. All laboratory analysts share the same password for the HPLCs in the QC analytical chemistry lab and Omnilog in the microbiology lab. In addition, analysts have access to the HPLCs which allow them to create and/or modify validated methods.

Your response indicates that SOP EDS-084: Procedure to Assign User Access Levels and Privileges for Computerized Analytical System has been issued and training has been provided. Please clarify in the response to this letter how you define the levels of authorization or the user access and privileges for analysts. Your response also explains that analysts now have their own passwords and that changes will be captured by audit trail. We also note that your SOP does not have provisions for any audit trail reviews to ensure that deletions and/or modifications do not occur. Please provide an explanation of your firm’s procedures regarding audit trails.


As discussed in many other posts relating to Warning Letters the FDA are still citing against 21 CFR 211.68 rather than directly to 21 CFR Part 11 for the security and integrity of data. This post looks the first part of the observation relating to Raw Data, security has been covered under Applying Computer Systems Security (GAMP).

In the intial findings the Raw Data for a HPLC is not being backed up and the paper record (results) are not considered to be complete in that all the metadata is not included within the printed results.

These are quoted as:
  • instrument conditions
  • integration parameters
which is considered part of the raw data.

In the post Deleting Electronic Data it was discussed based on the FDA Final Guidance "Part 11, Electronic Records; Electronic Signatures — Scope and Application” that electronic version of the records can be deleted.

In the previous article i wrote

Removing (deleting) the electronic record removes the need to maintain the record and the additional overhead (effort) required to maintain the record compliantly. However the regulated company must ensure that the record is complete (that is does not rely on the electronic data).

this is key to this observation. The regulated company should have documented its decision and determined what records are required to be maintained to support the paper record. In the areas covered under the FDA observation (instrument conditions and integration parameters) these too could have been maintained as paper records either via log books or including printout of the configuration settings.

The regulated company did not show that due care and consideration had been taken in the decision to delete electronic records. The decision was based on the available storage and the completness of the record not considered.

When deciding whether to maintain the electronic records in electronic or paper formats ensure that the records are complete and include the required metadata to demonstrate the integrity of the records. Most importantly document the decision and the rationale.

No comments:

Post a Comment

All comments on the computer systems validation blog are welcome.