On 7 July 2020, the FDA issued a Warning Letter to the US-American company Stason Pharmaceuticals, Inc. following an inspection conducted in October 2019. Missing controls to ensure the integrity of the electronic test data in the laboratory and an insufficient response to the complaints have led to this Warning Letter. FDA Warning Letters always refer to relevant chapters of 21 CFR Part 211.
Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(a))
A spectrophotometer was used for release and stability testing for finished products. In a demonstration carried out during the inspection, the inspector discovered that the control computer was not secured. Files could be deleted without the knowledge of the quality unit.
The Company's Response
The company's response to this observation was insufficient. Why?
There was no comprehensive review of all laboratory instruments with regard to the appropriateness of the user roles
The company acknowledged that the software was not working as intended and lacked the necessary knowledge or experience to troubleshoot it. However, the company is striving to remedy the situation! This answer was insufficient for the FDA because a retrospective assessment of the potential impact of system vulnerabilities on data integrity was missing.
What does the FDA expect in Response to this Warning Letter
As usual in such cases, the FDA expects a comprehensive and independent assessment and a CAPA plan for the safety and integrity of computer systems. It also expects a comprehensive report that identifies design and control vulnerabilities and appropriate remediations for each computer system in the laboratory. The report should include:
A list of all hardware from the lab, including all standalone as well as network equipment
An identification of the hardware and software belonging to these systems
A list of all software configurations/versions (equipment software and LIMS). Further information is still required: - For each laboratory system, details of all user priviledges and administrative responsibilities - The user roles and associated user rights should be specified for all employees who have access to the laboratory systems - The list should also include the specific authorisations of those with administrator rights
System security regulations; including whether unique user names / passwords are always used and how their confidentiality is guaranteed
The current status of audit trail implementation and detailed procedures for the robust use and review of audit trails
Interim control measures and procedural changes for the control, verification and storage of laboratory data
Technological improvements to increase the integration of data from stand-alone systems into the LIMS network
A detailed summary of the process updates and related training. This should also take into account the control of system security with regard to the prevention of unauthorised access and appropriate allocation of user roles
Provisions for oversight by QA managers, executives, and internal auditors with appropriate IT expertise (e.g., to evaluate infrastructure, configuration, network requirements, data management practices, and segregation of duties, including administrator rights)
An improved programme to ensure strict ongoing control over electronic and paper-based data, to ensure that all additions, deletions or modifications of information in the records are authorised and that all data is retained. A full CAPA plan and an overview of all improvements made so far should be attached
An independent, thorough retrospective assessment of the impact of laboratory system design, control and staff behaviour on the accuracy, completeness and retention of data since 1 January 2017
A complete assessment of the documentation systems used throughout the manufacturing and laboratory operations to identify where documentation practices are insufficient. A detailed CAPA plan that comprehensively improves the company's documentation practices to ensure that attributable, legible, complete, original, accurate and contemporaneous records are maintained throughout the operation (ALCOA+).