Case StudiesPage 1 of 14
Document Number: E-420-01 Ver1.xx April 1, 2012
How to Respond to Data Integrity and Security Related FDA Observations

Case Studies

How to Respond to Data Integrity and Security Related FDA Observations

These are case studies for responding to FDA observations. They are proposals and starting points only. The type and extent of documentation depends on the process environment. The proposed examples should be adapted accordingly and should be based on individual situations. There is no guarantee that the case studies will pass a regulatory inspection.

Publication from

Global on-line resource for validation and compliance

Copyright by Labcompliance. This document may only be saved and viewed or printed for personal use. Users may not transmit or duplicate this document in whole or in part, in any medium. Additional copies and licenses for department, site or corporate use can be ordered from

While every effort has been made to ensure the accuracy of information contained in this document, Labcompliance accepts no responsibility for errors or omissions. No liability can be accepted in any way.

Labcompliance offers books, master plans, complete Quality Packages with validation procedures, scripts and examples, SOPs, publications, training and presentation material, and user club membership with more than 500 downloads and audio/web seminars. For more information and ordering, visit

Table of Contents

1.PURPOSE

2.SCOPE

3.REFERENCES

4.GLOSSARY

5.GENERAL RECOMMENDATION FOR RESPONDING TO INSPECTIONAL DEVIATIONS

6.EXAMPLES

6.1Missing Procedures to Establish User Roles and Responsibilities to Access the System and Data (WL-242)

6.2Missing Review of Electronic Audit Trail (WL-229)

6.3Electronic Raw Data not Saved (WL-167)

6.4Access to Computer Systems through Common Password (WL-198)

6.5Missing Back-up Procedure (WL-231)

6.6No Automatic Screen Time-out (WL-185)

6.7Access Information to Computers Shared (WL-026)

6.8Back-up Data not Secured (WL-185)

6.9No Up-to-date Listing of Users of Computer Systems (WL-025)

6.10Limited Access to Computer System not Validated (WL-029)

1.PURPOSE

No or inadequate procedures and missing technical controls of to ensure security and integrity of electronic data are amongst the most frequently found deviations in FDA 483 inspectional observations and warning letters. Further damage can be avoided or minimized through timely and adequate response to 483s and warning letters. These case studies should help to understand the issues and FDA concerns and to respond to the deviations according to FDA expectations.

2.SCOPE

Handling security and data integrity related inspection issues in FDA and equivalent international regulated environments. .

3.REFERENCES

1.1.SOP S-551: “Integrity and Security of Electronic Laboratory Data”.
Available through

1.2.ChecklistE-148-02: “Security and Integrity of Electronic Data”.
Available through

1.3. Website with extracts of GxP related FDA Warning Letters/483s and Establishment Inspection Reports.

4.GLOSSARY

Item / Explanation
WL-xxx / Warning Letter number xxx. The number correlates with the numbers on the web site

5.GENERAL RECOMMENDATION FOR RESPONDING TO INSPECTIONAL DEVIATIONS

Timely and adequate response to inspectional or audit information is equally important to reduce or avoid further damage. Here are some general recommendations. They are equally important for regulatory inspections, for audit from your clients and for internal audits. Adequate responses to internal audits are and excellent exercise to avoid the same or similar problems during regulatory inspections,.

  • Fully understand the content of each deviation in the exit meeting
  • If possible, discuss possible corrective action item (without commitments at this time)
  • Respond in time (e.g., 15 business days for FDA Warning Letters and 483s)
  • Address each listed deviation item separately
  • Mention that you understand and accept the deviation (if this is correct)
  • If some deviations are already fixed, provide documented evidence
    (this makes a very good impression)
  • For others write how you will correct the deviation in a corrective action plan
  • Provide a time schedule with tasks, owners and deliverables for the corrective action plan.
  • Be realistic with the time frame. Most important is that it is doable, but don’t be too conservative, otherwise the regulatory agency may not accept it.
  • Attach preliminary documentation for the corrections, if available
  • Write how you will prevent the same of similar problem re-occurring in a preventive action plan
  • Provide a time schedule with tasks, owners and deliverables for the corrective action plan.
  • Possible preventive action could be

Check if other computer systems in your department, at your site or in your company could have the same problem. If so, develop an plan how to fix this. (see also FDA Warning Letter WL-253)

FDA WL-253: In your response, your firm states that additional controls were implemented including validating the remote access to the (b)(4) computer, password protecting the room where the computer is stored, and limiting the (b)(4) control room to authorized personnel only. Although your corrective actions may adequately address the protection of the (b)(4) computer from non-traceable changes, your firm has not taken a global approach to this deficiency. It is our expectation that your other manufacturing and laboratory computerized systems will be reviewed to ensure similar deficiencies do not exist.

6.EXAMPLES

6.1Missing Procedures to Establish User Roles and Responsibilities to Access the System and Data (WL-242)

Deviation:

Data security protocols are not established that describe the user's roles and responsibilities in terms of privileges to access, change, modify, create, and delete projects and data

Rout Cause (assumed for the purpose of this exercise)

The company was not aware that user roles and privileges need to be defined.

Corrective Actions

  • Dedicate a project owner to further investigate the need to establish the user’s roles and responsibilities in terms of privileges to access, modify, create, delete projects and data
  • The project owner with the support of IT, QA and the users department defines user rights
  • IT evaluates if the system provides the functionality for user privileges, If not, IT contacts the vendor for and upgrade, purchases and installs the upgrade
  • The project owner drafts a procedure that describes user’s roles and responsibilities
  • IT trains users on how to use the functions to execute the privileges

Preventive Actions

  • Together with IT and User Departments the project owner develops a plan to establish the same procedure on all computers used for FDA regulated areas

Attachments

  • Corrective Action Plan with time table, deliverables and owners
  • Preventive Action Plan with time table, deliverables and owners

6.2Missing Review of Electronic Audit Trail (WL-229)

Deviation:

Your firm's review of laboratory data does not include a review of an audit trail or revision history to determine if unapproved changes have been made.

Rout Cause (assumed for the purpose of this exercise)

The software has electronic audit trail that is activated and validated, but the company was not aware that audit trail should be reviewed.

Corrective Actions

  • Dedicate a project owner to further investigate the need to review electronic audit trail
  • The project owner together with support from the user department and QA drafts an SOP to review electronic audit trail for critical records. The procedure defines

Which data should be review

Who should perform the review

How the review should be documented

  • To facilitate the review a checklist item for the review is included in the laboratory data review checklist

Preventive Actions

  • Together with User Departments the project owner develops a plan to establish the same procedure on all computers used for FDA regulated areas

Attachments

Corrective Action Plan with time table, deliverables and owners

Preventive Action Plan with time table, deliverables and owners

6.3Electronic Raw Data not Saved (WL-167)

Deviation:

Operating parameters of the spectroscopy system were maintained with the relevant test records. However, electronic raw data was not saved (W-167). (21 CFR Part 211: (e) requires that complete records shall be maintained of all stability testing performed in accordance with Sec. 211.194 (e).)

.

Rout Cause

Wrong SOP: For this case the procedure does require did not require to save electronic raw data. It was felt that the print out can be used to demonstrate compliance with 21 CFR Part 11.

Corrective Actions

  • Dedicate a project owner to further investigate which data constitute raw data that must be available for FDA inspections.
  • The project owner together with support from the user department and QA drafts an SOP to define raw data for this specific application.
  • The procedure requires to save electronic raw data for this specific application and instrument (spectrophotometer)
  • The procedure has already been implemented

Preventive Actions

  • Together with User Departments the project owner develops a plan to investigate other applications and to document for each application what the raw data are and in which format the data should be archived

Attachments

SOP that defines electronic raw data for the inspected application

Preventive Action Plan with time table, deliverables and owners

6.4Access to Computer Systems through Common Password (WL-231)

Deviation:

The dedicated PC attached to HPLC Systems was not secure in that access to the software was not granted by a unique user name and password to avoid any omissions or changes to data.

Rout Cause (assumed for the purpose of this exercise)

The company felt that common passwords are more convenient than unique individual user passwords. .

Corrective Actions

  • Dedicate a project owner to further investigate the need to access the system for individual users rather than for groups.
  • The project owner together with support from the user department and QA drafts an SOP on how to issue passwords for individual users,
  • IT defines allocates unique user ID for each individual user, distributes the user IDs and default passwords to users.
  • IT trains users on how to get access to the system and how to change passwords
  • Users are required to change the default password

Preventive Actions

  • Together with User Departments the project owner develops a plan to establish the same procedure on all computers used for FDA regulated areas

Attachments

Corrective Action Plan with time table, deliverables and owners

Preventive Action Plan with time table, deliverables and owners

6.5Missing Back-up Procedure (WL-231)

Deviation:

There is no procedure to back-up data from the Personal Computer (PC) connected to the HPLC and the UV/Vis Spectrophotometer.

Rout Cause (assumed for the purpose of this exercise)

The users felt back-up is too much work and there is no real need .

Corrective Actions

  • Dedicate a project owner to further investigate the need for back-up
  • The project owner together with support from the user department, IT and QA drafts an SOP to regularly back-up regulated data. The procedure defines

Which data should be backed-up

Frequency

Type of back-up (incremental vs. full)

  • IT sets up an automated back-up program according to the procedure
  • IT trains the user department on how the back-up works and what to do in case there is a need for the back-up data

Preventive Actions

  • Together with User Departments the project owner develops a plan to establish the same procedure on all computers used for FDA regulated areas

Attachments

Corrective Action Plan with time table, deliverables and owners

Preventive Action Plan with time table, deliverables and owners

6.6Back-up Data not Secured (WL-185)

Deviation:

You failed to encrypt and/ or physically secure your data back-up system to comply with the requirements to prevent deterioration or deletion of the analyzer data.

Rout Cause (assumed for the purpose of this exercise)

The company felt this is not important. So there was no strategy and procedure to secure back-ups. .

Corrective Actions

  • Dedicate a project owner to further investigate the need to secure back-up data
  • The project owner together with support from IT, the user department and QA drafts an SOP to secure back-up data The procedure defines

How to secure the data, through encryption or by physical means

  • If necessary, IT orders and installs required hardware

Preventive Actions

  • Together with User Departments and IT the project owner develops a plan to establish the same procedure on all back-up systems used for FDA regulated areas

Attachments

Corrective Action Plan with time table, deliverables and owners

Preventive Action Plan with time table, deliverables and owners

6.7No Automatic Screen Time-out (WL-185)

Deviation:

The computers in the lab do not time-out. If an employee fails to log off a computer and walks away other individuals can easily access the computer under the first employees account.

Rout Cause (assumed for the purpose of this exercise)

Screensaver was installed but not activated. There was no procedure to activate the screen saver as the company felt everybody can be trusted and will not access other’s computers and data

Corrective Actions

  • Dedicate a project owner to further investigate the need to prevent the screen from remaining active when the computer is not used.
  • The project owner together with support from IT, from the user department and from QA drafts an SOP with the requirement to of automatic inactivity disconnect. The system will de-log if no actions were taken after a specified time. The SOP describes

Which applications require the time-out

The duration of allowed monitor activity when actions are taken

Preventive Actions

  • Together with User Departments the project owner develops a plan to establish the same procedure on all computers used for FDA regulated areas

Attachments

Corrective Action Plan with time table, deliverables and owners

Preventive Action Plan with time table, deliverables and owners

6.8Access Information to Computers Shared (WL-026)

Deviation:

An employee user name and computer password were publicly posted for other employees to use the access the Data Management System (W-026.

Rout Cause (assumed for the purpose of this exercise)

The meaning of user IDs and Passwords was not obvious to users. This is a training issue

Corrective Actions

  • Develop a plan to train all employees in the department on the meaning and importance of passwords.

Preventive Actions

  • Set-up a training plan to regular train all employees in the department on all regulations with impact on the department. Special focus will be to train employees on the spirit of regulations and on the consequences of non-compliance

Attachments

Corrective Action Plan with time table, deliverables and owners

Preventive Action Plan with time table, deliverables and owners

6.9No Up-to-date Listing of Users of Computer Systems (WL-025)

Deviation:

No current listing of individuals who have access to the database program or to what level of access each individual has..

Rout Cause (assumed for the purpose of this exercise)

The company was not aware that such listing is required..

Corrective Actions

  • Develop an SOP that requires listing individuals who have access to computer systems
  • The list should include

Current and previous users

For previous users the date when the user left the department or assignment

What access level each user has

  • Prepare such a list for the inspected database program

Preventive Actions

  • Develop lists for all computers used in FDA regulated areas

Attachments

Corrective Action Plan with time table, deliverables and owners

Preventive Action Plan with time table, deliverables and owners

6.10Authorized Access to Computer System not Validated (WL-029)

Deviation:

Authorized LAN access through corporate WAN users was not validated.

Rout Cause (assumed for the purpose of this exercise)

There was no requirement to validate the limited access.

Corrective Actions

  • Develop a general procedure and protocols for the validation of limited access to computer systems
  • Validate limited access to the LAN through corporate WAN users

Preventive Actions

  • Validated limited access to the LAN for other users (besides WAN users)
  • Validate limited access to all computer systems used in FDA regulated environments

Attachments

Corrective Action Plan with time table, deliverables and owners

Preventive Action Plan with time table, deliverables and owners

(Replace with your company’s name) FOR INTERNAL USE