CSV FDA Warning Letters : Security / Audit Trail

Date: 12 August 2008
Link: FDA Warning Letter (New Window)

Observation

6. Failure to establish appropriate controls over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel as required by 21 CFR 211.68 (b).
For example, the [redacted] data acquisition system for the [redacted] UV/Visible spectrophotometers allows your analysts to modify, overwrite, and delete original raw data files. The spectrophotometers are used for dissolution testing of finished product, stability samples, and process and method validation studies. All laboratory personnel were given roles as [redacted] Managers, which allowed them to modify, delete, and overwrite results files. This system also does not include an audit trail or any history of revisions that would record any modification or deletion of raw data or files. Your laboratory computer system lacks necessary controls to ensure that data is protected from tampering, and it also lacks audit trail capabilities to detect data that could be potentially compromised.

Comment

Refer to previous security notes from previous posts. The thing that is most noticeable from these posts ranging from 2007 to 2009 is that the FDA continues to quote only 21 CFR 211.68 (a) and (b) and does not directly quote 21 CFR Part 11.

The FDA Guidance (2003) states:

The Agency intends to exercise enforcement discretion regarding specific part 11 requirements related to computer-generated, time-stamped audit trails (§ 11.10 (e), (k)(2) and any corresponding requirement in §11.30). Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.

Even if there are no predicate rule requirements to document, for example, date, time, or sequence of events in a particular instance, it may nonetheless be important to have audit trails or other physical, logical, or procedural security measures in place to ensure the trustworthiness and reliability of the records.6 We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity. We suggest that you apply appropriate controls based on such an assessment. Audit trails can be particularly appropriate when users are expected to create, modify, or delete regulated records during normal operation.

From this guidance it is clear that while the agency will exercise enforcement discretion in the implementation of audit trails there is an expectation that the regulated company will risk assess and demonstrate the integrity of the electronic record.

It is also worth noting that this observation is against configuration files and raw data and not against the final record / result, which I assume would be a printed record.

A Good Electronic Record Management (GERM) policy with a risk based approach to ensuring record integrity and based on the FDA final guidance should provide sufficient quality assurance for GMP Records and Associated Raw Data. This policy should include management of security and audit trails.