Examples of Recent FDA Warning Letters / 483s Related to Electronic Records (Part 11)

Increasing FDA Focus on Electronic Records Integrity, Security and Authenticity

FDA's Edwin Rivera has announced it in 2007 at the 31st International cGMP conference in Athens, GA. The title of his presentation was "“Data Integrity and Fraud - Another Looming Crisis?” He reported about significant manipulations of electronic records. Just a few examples:

• Biased manipulation of study data resulting in the acceptance of failed runs
• Intentional computer manipulations of chromatograms by cutting and pasting chromatographic data so that initial out-of-specification test results are brought into specifications
• Altering weights of samples and standards in analytical calculations

He also reported that in 3 out of 10 inspections FDA found problems with electroin records. In the same presentation Mr. Rivera announced several FDA actions

• Specialized training of investigational staff on uncovering data integrity, data manipulation and fraud
• PAIs to focus more on data integrity and fraud
• Agency committed to follow-up on leads or information regarding data manipulation and fraud

He also gave recommendation for the industry

• Train employees on proper data handling and reporting
• Assure the reliability of data reported in applications and manufacturing records
• Emphasize that everyone in the company is responsible for data integrity

In the meantime FDA officials did attend training to uncover problems with electronic integrity. For example, three FDA employees did attend Ludwig Huber's discussion session on Electronic Audit Trail at the 10th annual IVT conference in Arlington.  .

Since Edwin Rivera's announcement in 2007 the FDA inspectors focused on computer systems and e-records. Inspectors found many deviations related to Part 11 requirements, but the regulation in general was cited in the letters. Below are selected examples. The warning letters can be downloaded from the Labcompliance Usersclub. Non members can preview excerpts (scroll down to the W number as shown below.)

To prepare your organization for FDA inspections, and to avoid FDA warning letters related to computer validation, attend the Audio seminar: FDA's New Enforcement of 21 CFR Part 11, Strategies and Tools to implement FDA's New E-records&Signatures Directions

Most Important Deviations

• No individual passwords causes repudiation problems
• Insufficient system security
• No electronic audit trail
• (Electronic) raw data not saved or lost
• Electronic records, including audit trail, not reviewed
• No correlation between e-records and paper print-outs
• Missing procedures, e.g., access control
• No back-up of data
• No prevention of data deterioration during archiving
• No or inadequate computer system validation

New Audio Seminar on April 29, 2010

Understanding FDA's 21 CFR Part 11

Introduction and Strategies and Tools for Implementation

Examples of FDA Warning Letters / 483's

• There is no procedure to back-up data from the Personal Computer (PC) connected to the HPLC and the UV/Vis Spectrophotometer (231)
• Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel (231)
• The dedicated PC attached to HPLC Systems was not secure in that access to the software was not granted by a unique user name and password to avoid any omissions or changes to data. (231)
• Security measures have not been instituted to prevent the computer screen from remaining active and not protected from unauthorized access (231)
• Your firm's laboratory analyst had modified printed raw data related to the IR Spectra test of (b)(4) and (b)(4). We are concerned that the lack of security or system controls allows for this practice.(230)
• The laboratory control records should include complete documentation of all raw data generated during each test, including graphs, charts and spectra from laboratory instrumentation(230)
• Your response is inadequate because it fails to completely address how your firm will ensure the integrity of raw analytical data. Your response stated that a computer server will be purchased and installed to save and print the IR spectra by September 30th, 2009 (230)
• We highly recommend that you hire a third party auditor, with experience in detecting data integrity problems, to assist you with this evaluation and assist with your overall compliance with CGMP.(230)
• Your firm does not have master production and control records that justify variation in the amount of components necessary for the preparation of the dosage form [21 CFR 211.186(b)(4)]. (229)
• Your firm lacks systems to ensure that all electronic data generated in your Quality Control laboratory is secure and remains unaltered. All analysts have system administrator privileges that allow them to modify, overwrite, and delete original raw data files on the (b)(4) used (b)(4) in the High Performance Liquid Chromatography (HPLC) units. (229)
• There are no procedures that address the security measures in place for generation and modification of electronic data files for these instruments used for raw material, in-process, finished product and stability testing. In addition, your firm's review of laboratory data does not include a review of an audit trail or revision history to determine if unapproved changes have been made (229)
• All study data are handled and controlled by your Study Coordinator, who enters the data into an electronic data base.. Data cannot be verified against source records, since such records are not maintained (W-224).
• Operating parameters were maintained with the relevant xxx. However, electronic raw data was not saved. 21 CFR Part 211: (e) Complete records shall be maintained of all stability testing performed in accordance with Sec. 211.194 (e) (W-167).
• Your quality unit personnel informed the investigators that the computer software was upgraded and the raw data was lost during the software upgrade, We have serious concerns about your firms  implementation of changes to your computer system (E.g., software upgrade) (W-222).
• User access levels for the [redacted] software were not established and documented. Currently, laboratory personnel use a common password to gain access to the system and there are no user access level restrictions for deleting or modifying data. (W-198)
• Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel (W-198).
• There were no written protocols to assign levels of responsibilities for the system (W-209)
• Our investigators also found many instances with extensive manipulation of data with no explanation regarding why the manipulation was conducted. This manipulation would include changing integration parameters or re-labeling peaks such that previously resolved peaks would not be integrated and included in the calculation for impurities (W-203)
• Data stored on the computer can be deleted, removed, transferred, renamed or altered (W-209)
• There should be a record of any data change made, the previous entry, who made the change, and when the change was made. (W-209)
• No software changes in the study data could be detected as there was no audit trail capability (W-185)
• Data was copied onto the server from one system to the next via floppy: therefore, no limited access or data protection had been established (W-185)
• horizontal-wThere are no procedures for backing-up data files and no levels of security access established“ (W-138)
  You had not established an electronic data back-up procedure (W-185)
• Failure to store records so as to minimize deterioration, prevent loss and back up of automated data processing systems. (W-185)
• You failed to encrypt and/or physically secure your data back-up system to comply with the requirements to prevent deterioration or deletion of the analyzer data. (W-185)
• The electronic data did not correlate with the paper records. (W-185)
• The Quality Unit failed to review electronic data as part of batch release, review computer audit trails in the data acquisition system and provide adequate training to analytical chemists (W-158)
• Validation of the (brand name) laboratory software used to control instruments, generate data, perform calculations, and store data from raw material and finished product testing failed to demonstrate adequate security. (W-192)

Examples of FDA Warning Letters / 483's Related to Computer System Validation

• FDA Inspectors also found many deviations related to computer validation. To see examples, click here.

E-mail this page