Data integrity continues to be one of the main topics during FDA inspections. One of the contributing causes for the warning letter to the American company Vi-Jon was the lack of controls to ensure the integrity of electronic data as well as insufficient access control to IT systems.
Based on an inspection which was carried out in October 2021 the FDA sent a warning letter to the American company Vi-Jon, LLC, on 31 March 2022. The company's answers dated 3 November 2021 regarding the complaints listed in Form FDA 483 were deemed inadequate by the FDA. FDA warning letters make reference to the GMP requirements stipulated in 21 CFR Part 211. In this case the claims concerned data integrity:
Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(a))
Lack of controls to ensure the integrity of electronic data. In this context it was not guaranteed that only appropriate personnel had administrative rights. For example, there were no appropriate controls in place to prevent deletion of raw data for a microbiological testing instrument with a stand-alone computer.
All laboratory staff utilized a shared account to access the computer which had administrative privileges capable of changing and deleting files. During the inspection, relevant files were found in the computer's electronic bin.
The laboratory management did not review the audit trail of the HPLC analysis software for drug product testing before release of a batch. This is a repeat violation from the 2017 inspection.
The company's answer
The company stated the following:
The common user login will be discontinued and administrative rights will only be assigned to IT personnel outside of the quality unit.
The software is being updated and a new procedure governing user access will be created.
The analysis software is being upgraded. The audit trail for each sample will be printed and added to the data packet for review.
These answers of the company as regards the observations were deemed inadequate by the FDA. Why?
There are no sufficient corrective actions to secure the analysis software and the associated stand-alone computer.
The user access levels, access privileges, and authorized users are not described.
Allowing only one microbiologist access to the system is not a robust strategy and does not replace a system of access levels and privileges.
A description where data will be stored to prevent inappropriate access or deletion is missing.
The retrospective assessment of the complaints as regards the previous drug product release was missing.
The proposed data review procedure is inadequate. The use of static copies of laboratory records is inadequate as they do not preserve the dynamic record format of the full analytical test result which should be a part of the review process for release. It must be ensured that original laboratory records, including paper and electronic records, are subject to a review to ensure that all test results and associated information are appropriately reported.
What does the FDA expect in the answer to this warning letter?
A comprehensive, independent assessment and CAPA plan for IT system security and integrity. This includes a report that identifies design and control vulnerabilities, and appropriate remediations for each of the laboratory computer systems. This report should include but not be limited to:
A list of all hardware in the laboratory (both standalone systems and networking devices).
The identification of vulnerabilities in hardware and software, encompassing both networked and non-networked systems.
A list of all software configurations (both equipment software and LIMS versions), details of all user privileges, and oversight responsibilities for each of the laboratory systems. User roles and associated user privileges (including the specific permissions allowed for anyone who has administrative rights) for all staff who have access to the laboratory computer systems, and their organizational affiliation and title.
System security provisions, including whether unique user names/passwords are always used and their confidentiality safeguarded.
Detailed procedures for audit trails, and current status of audit trail implementation for each system.
Interim control measures and procedural changes for the control, review, and full retention of laboratory data.
Technological improvements to increase the integration of data generated through electronic systems from standalone equipment (e.g., balances, pH meters, water content testing) into the network.
A detailed summary of the procedural updates and associated training, including but not limited to system security control to prevent unauthorized access, appropriate user role assignments, secondary review of all analyses, and other system controls.
A remediated program for ensuring strict ongoing control over electronic and paper-based data to ensure that all additions, deletions, or modifications of information in the records are authorized, and all data is retained. A full CAPA plan and any improvements made to date is required.