LIMS/CDS Get More Attention in Inspections

GMP News
14 May 2007

LIMS/CDS Get More Attention in Inspections

The requirements for Laboratory Information Management Systems (LIMS) und Chromatography Data Systems (CDS) are defined e.g. in the US Guidance 21 CFR Part 11 (Electronics Records; Electronic Signatures). However, the Food & Drug Administration (FDA) withdrew its interpretation of the guidance in form of various draft guidances already in early 2003, after the industry had encountered too many problems with these interpretations. The authority also still owes the new version of the guidance that was announced for end of 2005. In addition, the requirements are not clearly defined in any other regulations either, as various interpretations demonstrate.

Still, Warning Letters issued by the FDA in 2006 show that the authority does not neglect LIMS/CDS in inspections at all and that industry should absolutely pay more attention to this topic.

Excerpts of FDA Warning Letters:

Example 1:

"Laboratory records failed to include the initials or signature of a second person showing that the original records have been reviewed for accuracy, completeness, and compliance with established standards [21 CFR 211.194(a)(8)].

The above discussed manipulations were performed by analysts using the … Chromatographic Data System (CDS)… . Although the audit function is used in your procedures, there is no specific requirement regarding any review of the audit trails, and your records failed to include documentation that a second person had conducted such a review. In fact, our investigator was told that no such audit had ever been performed. However, a second person must review these audit trails, particularly given the lack of controls for preventing data manipulation. Such an audit may well have detected the data manipulation which was occurring at your facility."

Example 2:

"Failure to employ appropriate controls over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel
[21 CFR § 211.68(b)].

For example, your firm has inadequate security measures in place to assure the integrity and reliability of data generated by your laboratory. During the … inspection, our investigators observed your laboratory analysts operating computers under different analysts' names. Your analysts told our investigators that using other laboratory personnel's names and passwords was a common occurrence in your firm's laboratory while using your … laboratory software."

Example 3:

"Appropriate controls are not exercised over computers or related systems to assure that changes in analytical methods or other control records are instituted only by authorized personnel [21 CFR § 211.68(b)].

a) Laboratory managers (QC and R&D) gained access to the … computer system through a common password. Analysts were not required to use individual passwords; they operated the system following the login by the laboratory managers.
b) Due to the common password and lack of varying security levels, any analyst or manager has access to, and can modify any HPLC analytical method or record. Furthermore, review of audit trails is not required."


The European Compliance Academy (ECA) offers two courses that will cover these topics:

Dr Günter Brendelberger
On behalf of the European Compliance Academy (ECA)


Go back

GMP Conferences by Topics