|
The requirements for Laboratory Information Management
Systems (LIMS) und Chromatography Data Systems (CDS) are defined e.g. in the
US Guidance 21 CFR Part 11 (Electronics Records; Electronic Signatures).
However, the Food & Drug Administration (FDA) withdrew its interpretation of
the guidance in form of various draft guidances already in early 2003, after
the industry had encountered too many problems with these interpretations.
The authority also still owes the new version of the guidance that was
announced for end of 2005. In addition, the requirements are not clearly
defined in any other regulations either, as various interpretations
demonstrate.
Still, Warning Letters issued by the FDA in 2006 show that
the authority does not neglect LIMS/CDS in inspections at all and that
industry should absolutely pay more attention to this topic.
Excerpts of FDA Warning Letters:
Example 1:
"Laboratory records failed to include the initials or
signature of a second person showing that the original records have been
reviewed for accuracy, completeness, and compliance with established
standards [21 CFR 211.194(a)(8)].
The above discussed manipulations were performed by
analysts using the … Chromatographic Data System (CDS)… . Although the audit
function is used in your procedures, there is no specific requirement
regarding any review of the audit trails, and your records failed to include
documentation that a second person had conducted such a review. In fact, our
investigator was told that no such audit had ever been performed. However, a
second person must review these audit trails, particularly given the lack of
controls for preventing data manipulation. Such an audit may well have
detected the data manipulation which was occurring at your facility."
Example 2:
"Failure to employ appropriate controls over computer or
related systems to assure that changes in master production and control
records or other records are instituted only by authorized personnel
[21 CFR § 211.68(b)].
For example, your firm has inadequate security measures in
place to assure the integrity and reliability of data generated by your
laboratory. During the … inspection, our investigators observed your
laboratory analysts operating computers under different analysts' names.
Your analysts told our investigators that using other laboratory personnel's
names and passwords was a common occurrence in your firm's laboratory while
using your … laboratory software."
Example 3:
"Appropriate controls are not exercised over computers
or related systems to assure that changes in analytical methods or other
control records are instituted only by authorized personnel [21 CFR §
211.68(b)].
Specifically:
a) Laboratory managers (QC and R&D) gained access to the … computer system
through a common password. Analysts were not required to use individual
passwords; they operated the system following the login by the laboratory
managers.
b) Due to the common password and lack of varying security levels, any
analyst or manager has access to, and can modify any HPLC analytical method
or record. Furthermore, review of audit trails is not required."
|
