Expert Advice

Home | Contact Us | Newsletter | Usersclub | Books | Audio Seminars

 

Part 11 primer. master plan, project plan, examples, checklists, audio seminar and 11 SOPs for easy implementation

Click here for more info

 

Frame work to develop your own Part11 project plan

 

Guides you through your Part 11 project: step-by-step, as easy as 1-2-3.

 

Lear how to define risk categories for computer systems and how to justify and document your decisions

 

All you need to know  about basics of Part 11 and FDA's new approach for implementation

 

A total of 11 SOPs are included in the the Labcompliance Part 11 compliance package.

Examples and Case Studies help to implement Part 11 requirements consistently and effectively. They are all included in the Part 11 compliance package from Labcompliance.

Two Audio Seminars are included in the Part 11 compliance package. Useful to train yourself and others
- Part 11 Introduction and Strategies for Implementation
- Preparing your organization for the New Part 11

Reference Publications from Dr. Ludwig Huber help to get an in depth understanding on selected requirements of Part 11.

 

Learn from the FDA about Part 11: past, current and future.

Learn from FDA warning letters what FDA inspectors look for and what mistakes others make, so you can avoid them.

Learn through interactive video seminar about FDA's 'NEW' Part 11, what's coming and how to implement.

Learn from FDA 483's and from detailed EIR inspection reports  what FDA inspectors look for, what questions they ask and if company's response is satisfactory.  483's and EIR's typically are not available from FDA's public website.

Recent FDA Inspection Findings Related to Part 11 and Computer Systems

483's, Warning Letters, EIR's, Presentations: 2004-2007 

Overview

About two years after FDA's release of 21 CFR Part 11 the FDA started to enforce the regulation. This was in 1999. Between 1999 and 2002 the FDA reported many deviations to the regulations in 483's, EIR's and Warning Letters but also through conference presentations of FDA officials. With the promotion of the the new approach in 2003 the FDA stopped enforcing Part 11 and requirements for computer systems but resumed in 2004 and thereafter with highest density in 2006 and 2007. Most deviations have not been referenced directly to Part 11 but to predicate rule requirements. In some cases the FDA also gave advice to specific questions related to Part 11. This Expert Advice article lists FDA inspection findings related to Part 11 and other computer system related requirements. Labcompliance has developed a Part 11 Compliance Package that helps to avoid deviations reports according to current and future Part 11 requirements.

Click here to tell others in your company about this site

Examples for Inspection Findings

Insufficient Data Security with Ability to Overwrite Data

W-192

The inspection covered the quality, production, laboratory and packaging systems of a pharmaceutical manufacturer. Amongst others the inspection revealed failures to demonstrate data security with the ability to overwrite original laboratory data

The 483 observation reads:

  • Validation of the (brand name) laboratory software used to control instruments, generate data, perform calculations, and store data from raw material and finished product testing failed to demonstrate adequate security. Analysts have the ability to overwrite original data, and are not required to utilize the protection of individual passwords.
  • The corresponding EIR further states: During discussions and lab demonstrations, it was determined that neither system prevents analysts from overwriting original raw data. A review of the software validation showed initial failures for modules demonstrating the ability to delete or overwrite data. Documentation in the validation report stated that this capability could not be changed. During the laboratory demonstration, I observed the statement, "Data will be overwritten" with the option to ignore this.
  • In addition to the ability to overwrite original data, the analysts are not required to utilize the protection of passwords since they are considered to have "limited access". I stated that each analyst needs to have their own password to access the system to help ensure data security and to track the usage by individuals.

The 483, the EIR and the company's responses to the 483 can be downloaded from the Labcompliance Usersclub (W-192). For more information and ordering the Usersclub, click here

Computer Validation at the Vendor's Site is not Enough

W-191

The inspection was made at an organ procurement operation. The inspection focused on general operations of the firm, with specific focus on validation of computer software in the area of donor referral operations. At the conclusion of the inspection, an FDA-483 was issued to and discussed with the management in the areas of computer software verification and maintaining records concurrently.

The 483 deviation stated:

  • The performance of the computer software has not been verified. Specifically your firm has not verified your computer software program in all aspects of their donor referral operations to ensure that electronic records are trustworthy, accurate and reliable. The related EIR further explained: The firm uses a computer software program called (brand name) that is manufactured by (vendor name).
  • During the inspection, I asked if the computer software has been validated to assure that it performs for it's intended use. I was told that the software was validated by the manufacturer. The managing director provided me a copy of the letter the received from (the vendor). The letter indicated that the software was validated. She also the gave me a copy of validation information that was obtained from (the vendor) during the inspection.
  • I told the managing director I still need to see what they have done to validate the system since the computer was making a decision to accept or reject potential donors. The managing director and the Manager of the Communications Center told me that they were unaware they the company had to validate the software because it was validated by (the vendor) and that was their reason for purchasing the version of software instead of the COTS (Commercial Off The Shelf) version of the software that is also manufactured by (the vendor).   

The 483, the EIR and the company's response to the 483 can be downloaded from the Labcompliance Usersclub (W-191). For more information and ordering the Usersclub, click here

Legacy Computer Systems not Validated

W-190

Legacy systems are listed under enforcement discretion in FDA's current guidance for Part 11.  Therefore some companies believe that such systems don't need to be validated. This assumption is incorrect as it is demonstrated by of EIR inspection report and 483 observation that came out from an inspection of a system installed in 1989.

The inspection was conducted for the pre-approval of an NDA for an API under CP 7346.832. The inspection focused on computer software, networks and database issues. The company uses two major integrated computer systems that work in concert to control production operations.  The network program was purchased as configurable software controlled system that has been customized to meet functional requirements specific to the firm's needs.
The system controls raw materials and finished API lots by warehouse and production operations. he system is accessed by the QU for online review of QC test results during batch release operations.

Some of the 483 deviations include:

  • No IQ, OQ or PQ has been performed throughout the life of the system. No validation reports have been generated historically.
  • Current efforts to retrospectively validate the system have progressed through the approval of an IQ protocol, however, this protocol has not yet been executed. OQ and PQ efforts have not yet been developed as part of these current validation efforts.
  • The (system) has not been maintained under established procedures for change control. This is true throughout the life of this software application.
  • The firm has failed to generate or maintain design control documentation sufficient to define all customized elements making up the (system) configuration (i.e., functional or structural design documentation defining all program making up (the system)
  • Electronic records generated during manufacture of APIs were not reviewed prior to release of validation lots or for any lots manufactured thereafter to include the most recently released API lot.

The EIR and the 483 can be downloaded from the Labcompliance Usersclub (W-190). For more information and ordering the Usersclub, click here.

Off-the-shelf Software such as Microsoft Word and Microsoft Excel not Validated

W-189

The inspection made at a device manufacturer revealed Off-the-Shelf Software such as Microsoft Word and Microsoft Excel used for creating and maintaining of non-conformance and other records has not been validated..

Deviations are

  • Failure to assure that when computers or automated data processing are used as part of the production or quality system the manufacturer shall validate computer software for its intended use according to an established protocol, as required by 21 CFR 820.70(i).
  • For example, electronic records are used but there was no software validation.
  •  No procedures are established to validate for its intended purpose the Microsoft Word or Microsoft Excel software used in creating and maintaining nonconformance records, product return records, internal audit corrective records, or corrective action records.
  • We have reviewed your response and have concluded that it is inadequate because off-the-shelf software must validated for its intended purpose.
  • You have stated that a review will be conducted for existing forms and an implementation of a new record control system to meet FDA requirements will be pursued. A new system may not be necessary; however, no procedures have been submitted for review and no timetable for corrective action and response was indicated. 

Comment from Labcompliance: This warning letter appears to be surprising to some extend. While it is expected that Excel applications used for calculations needs to be validated (for details see the Labcompliance Spreadsheet and Macro Quality Package) the current FDA Part 11 Guidance states: We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity. For instance, validation would not be important for a word processor used only to generate SOPs. The conclusion is that widely used off-the-shelf software when used for tracking maintaining of higher risk records need to be validated to some extend. For example, correct functioning of limited access to such records and electronic audit trail functions should be verified. This is particularly important if the electronic records are the only records to demonstrated compliance with the regulations.

Inadequate Storage and Back-up and no Correlation Between Electronic and Paper Records

W-185

The inspection made at a device manufacturer revealed that the methods used for electronic storage are not in conformity with FDA's Current Good Manufacturing Process.

Deviations are

  • Failure to store records so as to minimize deterioration, prevent loss and back up of automated data processing systems
  •  The electronic data did not correlate with the paper records
  • You had not established an electronic data back-up procedure; and finally
  • Data was copied onto the server from one system to the next via floppy: therefore, no limited access or data protection had been established
  • We have reviewed your response and have concluded it is inadequate because you failed to encrypt and/ or physically secure your data back-up system to comply with the requirements to prevent deterioration or deletion of the analyzer data
  •  Failure to adequately validate the intended use of this PC and its software
  •  The dedicated PC [redacted] attached to the [redacted] was not secure in that access to the data on [redacted] was not granted by a unique username and password or equivalent method
  • There as no documentation associated with the electronic data for whom was responsible for collection of the analytical results as several quality control personnel have access to the [redacted] no software changes in the study data could be detected as there was no audit trail capability; and finally, the electronic data did not correlate with the paper records.
  • We have reviewed your response and have concluded that it is inadequate because no system validation was conducted to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

The Warning Letter can be downloaded from the Labcompliance Usersclub (W-185). For more information and ordering the Usersclub, click here.

Accuracy of Inputs to and Outputs from HPLC Instruments not Checked

W-180

The Warning Letter was issued based on conditions found during an inspection conducted between July 10, 2006 and August 10, 2006. The letter states:

  • "There was a failure to check for accuracy the inputs to and outputs from the Total Chrom Data Acquisition System, which is used to run your firm's HPLC instruments during analysis of drug products.
  • For example, electronic data files were not routinely checked for accuracy and, as mentioned in the above observations, our investigators found numerous discrepancies between the electronic data files and documentation in laboratory notebook."
  • In addition the company failed to record chromatographic raw data related OOS test results: "The chromatographic test data reflecting the out-of-specification test results were not recorded in laboratory notebooks. Instead, a new sample preparation was injected within the same chromatographic run without supervisory approval, as required by your firm's SOP".

The Warning Letter can be downloaded from the Labcompliance Usersclub (W-180). For more information and ordering the Usersclub, click here.

Databases for Data Analysis and Other Tracking and Trending Functions not Validated

W-179

The Warning Letter was issued based on an inspection from December 2006. For example, the letter stated:

  • Failure to have production and process controls for automated processes, when computers or automated data processing systems are used as part of production or the quality system.
  • A manufacturer is required to validate computer software for its intended use according to an established protocol. For example, databases that are maintained for data analysis and other tracking and trending functions, including complaint and services access databases, have not been validated for their intended use".

In addition the company was cited for inadequate identification of training needs, for failure to follow document controls requirements, no or inadequate CAPA procedures, and no validation or verification that implemented CAPA activities are effective. The Warning Letter can be downloaded from the The EIR and the 483 can be downloaded from the Labcompliance Usersclub (W-179). For more information and ordering the Usersclub, click here. .

Electronic Raw Data not Saved

W-167

The inspection was made at pharmaceutical manufacturing facility and focused on stability testing records, The inspection revealed significant deviations from 21 CFR Part 211.194. 

The letter lists as primary deviations:

  •  Operating parameters were maintained with the relevant xxx. However, electronic raw data was not saved.
  • According to the Director of Quality Assurance, xxx began saving electronic raw data just recently at the beginning of February 2006. However, that was not observed during the inspection
  •  The SOP allows "discarding" data due to variation in the xxx area or any other reason
  • Your firm failed to establish and follow an adequate written stability testing program design to assess the stability characteristics of drug products.
  •  Storage condition for samples retained for stability testing are not adequately documented
  •  The Quality Control Unit lacks adequate laboratory resources (personnel equipment) for conducting stability testing of drug products.

The Warning Letter can be downloaded from the Labcompliance Usersclub (W-167). For more information and ordering the Usersclub, click here.

Part 11 Advice for Hybrid Complaint Management Data Base

W-166

The inspection was made at a cosmetics and OTC drug manufacturer. No FDA-483 Inspectional Observation was issued to the firm; however, several items were discussed verbally with the firm, including Part 11 compliance of computer systems.

The EIR reads:

  • I explained computerized records that are required under drug GMPs are the ones that would have to comply with Part 11 regulations.
  • Computerized records that the firm keeps to make it easier to sort or find certain information would not necessarily have to comply with Part 11 regulations.
  • As an example, I explained that if the firm has a database for complaints, but still records everything on paper (and the paper copy is the official record), the database would not have to comply with Part 11.
  • However, if the database was their only record, the database would have to comply with Part 11

The EIR can be downloaded from the The EIR and the 483 can be downloaded from the Labcompliance Usersclub (W-166). For more information and ordering the Usersclub, click here. .

Electronic Data Changed After Approval by the Supervisor

W-165

An inspection of a pharmaceutical manufacturer revealed serious regulatory problems with electronic records. The FDA found that computer data including analyses results could be changed after they have been approved by the supervisor. This was documented in the FDA establishment report and cited as an observation in an 483 form inspectional observation:

  • "The computerized system is not secure in that it is possible for data entered to be changed. This was observed following a request during inspection for a challenge to be performed during which it was determined that previously recorded input including sample gross and net weights and the final result could be changed".

Obviously the computer system did not have the functionality as required for Part11 compliance, e.g., electronic audit trail. The company responded with a 3-step corrective action plan:

  • "The computerized system will be upgraded to appropriately address the concerns raised.
  • The system will be totally renovated so that it will be appropriately comply with the requirements of 21 CFR Part 11.
  • The date and time of operator entries and actions that create, modify and delete electronic records will be independently recorded as computer generated audit trail." The 483, the full inspection report (EIR), the company's correction plan and FDA's answer to the corrective action plan can be downloaded from the The EIR and the 483 can be downloaded from the Labcompliance Usersclub (W-165). For more information and ordering the Usersclub, click here.  To learn everything on how to successfully pass FDA inspections of electronic record systems, attend the Labcompliance Audio seminar.

Falsified Electronic Records Generated in Tests of Drugs Led to Bankruptcy of a Drug Manufacturer

W-158

A former Vice President in charge of the Quality Control Department and three supervisory chemists at a now non functional generic drug manufacturer pleaded guilty to a conspiracy involving the rampant falsification and manipulation of testing data of drugs. The fraud had been documented in an FDA 483 Inspectional Observation from May 2005. For example the 483 states:

  • "Samples of drug products were routinely re-sampled, and re-injected or reprocessed during testing in the QC Laboratory when out of specification (OOS) results were obtained",
  • "The Quality Unit failed to review electronic data as part of batch release, review computer audit trails in the data acquisition system and provide adequate training to analytical chemists", and
  • "OOS results were substituted with passing results by analysts and supervisors. The substitution of data was performed by cutting and pasting of chromatograms, substituting vials, changing sample weights and changing processing methods".

After the testing problems were disclosed, the company's share price dropped nearly 75% in one day, from $24 to $6.36. A few months later, the company filed for bankruptcy. It later was liquidated. "The damage from the fraud was devastatingly complete," Christopher Christie, the U.S. Attorney for New Jersey, said in a statement. "Consumers were put at risk, a company that employed 500 people was destroyed, and shareholders were left with nothing in the end." All this is the result of non-compliance with FDA's GMP and Part 11 regulations. The 483 can be downloaded from the Labcompliance Usersclub (W-158). For more information and ordering the Usersclub, click here.

No Formal Risk Analysis after Software Changes

W-146

Risk based compliance has been promoted by the FDA to optimize resources at the FDA and industry. For example, the new FDA part guidance on scope and controls states that the extent of validation should be based on a justified and documented risk assessment and the Part 820 requires spells out the requirement for risk assessment. The FDA seems to begin to look into risk assessment for computer systems. This became obvious in an inspection for compliance with 21 CFR 820 from Dec 7-21, 2004 which resulted in a warning letter.

  • According to the warning letter, the company failed to "Establish and maintain adequate procedures for validating the device design to ensure that the device conforms to user needs and intended uses and include risk analysis, as required by 21 CFR 820.30(g) (FDA 483, Item 151.
  • For example, a formal risk analysis of the original system design and software changes to correct software bugs that caused incorrect functionality or performance problems, and to enhance the product, has not been documented. Although your software release notes briefly describe the nature of unresolved software bugs in a particular software version, they do not explain the impact of these software bugs on user needs and intended uses".
  • Furthermore, the company was cited for insufficient documentation of installation, for missing procedures for finished device acceptance, and for inadequate inspections, 

To learn about risk based validation of computer systems and other part 11 requirements, click here.

The warning letter can be downloaded from the Labcompliance Usersclub (W-146). For more information and ordering the Usersclub, click here.

Electronic Medical Records System Violates Part 11

W-145

During and inspection of a clinical study facility the FDA also inspected the companies electronic medical record system. The inspector found several deviations related to Part 11 . The warning letter has several recommendation on how to bring the system into compliance. The letter reads:

  • Please note that Title 21, Code of Federal Regulations, Part 11, "Electronic Records; Electronic Signatures" outlines specific requirements that must be met for any system that is being used to maintain required records  In addition to the information requested above, please submit the following:
  •  documentation of the validation of your EMR system to ensure accuracy, reliability, and the ability to detect invalid or altered records;
  • documentation of the ability to generate accurate and complete copies of records suitable for inspection, review, and copying by the agency;
  • documentation of a secure, computer-generated, time-stamped audit trail that can independently record the date and time of operator entries and actions that create, modify, or delete electronic records, and to verify that record changes do not obscure previously recorded information

The 483 can be downloaded from the Labcompliance Usersclub (W-145). For more information and ordering the Usersclub, click here.

No Revalidation after Software Changes

W-144

An FDA inspection of a device manufacturer in March 2005 revealed a number of Part 820 violations that resulted in a warning letter.

  • According to the warning letter, the company failed to validate software for a device. "Specifically, the xxx controller unit, software version xxx was changed to xxx.
  • The change in the software allowed for adjustment in the speed of the water pump, and inverse pulsing from the A valve to the B valve when the speculum was clogged. Your firm did not have any documentation showing that the current software version was validated".
  • Furthermore, the company was cited for failing to develop and maintain a quality requirements for suppliers, contractors and consultants and for failing to audit a contract manufacturer,

The warning letter can be downloaded from the Labcompliance Usersclub (W-144). For more information and ordering the Usersclub, click here.

 

All Analysts and Supervisors have System Privilegies

W-143

An FDA inspection of a pharmaceutical manufacturer revealed a number of cGMP violations that resulted in a 483 with 20 observations

Deviations related to computer systems and electronic records are.

  • Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel.
  •  The firm has failed to establish controls and procedures to assure authenticity, integrity and security of all electronic records including data generated in the QC laboratory.
  • All laboratory analysts and supervisors have system administration privileges in the firm's HPLC and GC acquisition systems which allow them overwrite original raw data files.

The 483 can be downloaded from the Labcompliance Usersclub (W-143). For more information and ordering the Usersclub, click here.

No Backup Procedures and No Validation of Computer Systems

W-138

No backup procedures and no validation of computer systems did draw an FDA warning letter. Examples for deviations in the Warning Letter include

  • The firm’s computer software programs which operate all of the lab during the analysis of raw materials and xxx finished product, have not been qualified and/or validated", and

  • The software programs do not secure files from accidental alteration or losses of data. The functions that modify and delete partial or whole data files are available for use by all analysts."

  • In addition, the firm has not established any security procedures for the laboratory computer systems.

  • There are no procedures for backing-up data files and no levels of security access established", 

 The warning letter can be downloaded from the Labcompliance Usersclub (W-138). For more information and ordering the Usersclub, click here.

 Software not Revalidated

W-136

In a warning letter from September 2004 the FDA cited a firm for not providing revalidation protocols:

  • Your response (to Form FDA 483, List of Inspectional Observations) indicates that the computer software was initially validated in April 2001 and that it was going to be revalidated in May 2004.
  • You also included the validation report of the software used for maintenance of the complaint. However, the adequacy of the challenges to the computer systems cannot be fully assessed since the validation protocols were not provided.

The warning letter can be downloaded from the The EIR and the 483 can be downloaded from the Labcompliance Usersclub (W-136). For more information and ordering the Usersclub, click here.

FDA Presentation: Electronic Data Integrity and Fraud - Another Looming Crisis?

G-330

Edwin Rivera, Chief Investigations and Preapproval Compliance Branch at CDER US FDA gave a compliance update for CDER at the 31st international GMP conference in Athens, Georgia. He started the presentation with a brief overview on the objectives of the pre-approval inspection program and the roles of reviewers and CDER’s Office of Compliance. Then he focused his entire presentation on one of FDA's recent concern: integrity of electronic data. Three of ten recent audits revealed data of highly questionable reliability that are currently under review by CDER and second audit assignments are to be issued shortly. He also gave a lot of examples.

Examples of deviations as reported by Edwin Rivera

  • Biased manipulation of (electronic) study data in the acceptance of failed runs
  • Intentional computer manipulation of chromatograms by cutting and pasting chromatographic data so that initial out-of-specification test results are brought into specifications
  • Altering weights of samples and standards in analytical calculations
  • Changing chromatogram processing parameters

Mr. Rivera finished the presentation with FDA's plans on how to respond to this:

  1. Specialized training of investigational staff on uncovering data integrity, data manipulation and fraud,
  2. PAIs to focus more on data integrity and fraud and
  3. Through the agency's commitment to follow-up on leads or information regarding data manipulation and fraud.

He also gave recommendations to the industry:

  1. Train employees on proper handling handling and reporting of data and
  2. To assure the reliability of data reported in applications and manufacturing records.

The full presentation can be downloaded from the The EIR and the 483 can be downloaded from the Labcompliance Usersclub (G-330). For more information and ordering the Usersclub, click here