150 likes | 272 Views
Electronic Records and Signatures: Warning Letters and Observations including proposed solutions. 8 Linweld (8/2/99) , X 9 Purepac (11/26/97), 10 Schein (3/2/00), X 11 Synthes (10/15/99), 12 Willis Eye Associates (7/7/98), 13 Ganes Chemicals (12/22/99)
E N D
Electronic Records and Signatures:Warning Letters and Observations including proposed solutions
8 Linweld (8/2/99) , X 9 Purepac (11/26/97), 10 Schein (3/2/00), X 11 Synthes (10/15/99), 12 Willis Eye Associates (7/7/98), 13 Ganes Chemicals (12/22/99) 14 Associated Regional University Pathologists (3/18/99). Warning Letters and 483-Observations 1 Ansell International (6/8/98), 2 Cypress Bioscience (6/7/99), 3 Fairbanks Memorial Hospital (4/28/99), 4 Gensia Sicor (7/21/99),X 5 Glenwood (5/20/99), 6 Hydro Med Sciences (2/12/99), 7 Johnson Matthey (3/7/00), X Red = Warning Letter
Procedures Authorisation System Audit Trail Issues Backup Password Change Control Data handling Recent Problems Observed in FDA-Inspections Classification of 36 FDA-Observations from 14 Warning Letters and 483 17% 17% 11% 11% 27% 11% 3% 3% Goldsheet, October 2000
Findings and Proposed Corrective Actions 1/12 • Data edit rights available to all users • Restrict user authorizations to the necessary. Protect files wherever possible. • Functions that "modify" or "delete" whole or partial data files available to all analysts • Restrict authorizations of people who can delete and modify • All QC network users can edit permissions for fields, commands, and system menu functions; analysts can submit edited data • All users can delete data, modify files, & overwrite raw data • Restrict authorizations
Findings and Proposed Corrective Actions 2/12 • Original reports sent via email differed significantly from QA Manager's official reports • Do not send reports by email, without checksum or hash • No evidence of system's ability to discern invalid or altered records • Evaluate the usage of checksums or other protection tools • Inadequate HPLC controls; analysts can delete results • Check all Lab-Equipment that there are no “Delete” functions
Findings and Proposed Corrective Actions 3/12 • Software does not secure data from alterations, loss, or erasure • Have Backup procedure in place. Evaluate new Software • No written procedures for use of passwords, access levels, or data backup • Check if procedures are available • User ID & password publicly posted for other employees' use • Keep the passwords secret, no group password
Findings and Proposed Corrective Actions 4/12 • Employees terminated years earlier still had access privileges • Check list of authorized personnel and have a procedure in place that system administration is notified about changes in personnel • No security procedures for lab computer systems; no security access levels established • Have different appropriate access levels defined in procedures and implemented in the lab • No data file backup procedures • Check Backup Procedure
Findings and Proposed Corrective Actions 5/12 • No password security on computer used for data entry and data transfer via the internet • Do not transfer the data via Internet except you are using encryption and have the corresponding procedures. • No physical or password access controls on PLC to prevent unauthorized changes • Difficult one. PLCs should not be used to enter data or recipes. Lock PLCs in. PLCs – at least the old ones do not have any possibility to work with User access rights, passwords and the like. Needs to be solved procedurally if recipes are entered in PLC.
Findings and Proposed Corrective Actions 6/12 • Primary CAD engineering drawings stored on unprotected computer • Define which drafts are relevant to GMP and need to be stored. Do not store GMP-relevant Data on unprotected computers • No procedures to verify electronic SOPs against approved hardcopy prior to posting on company network • Verify formally all the documents that are distributed electronically. Validate the system.
Findings and Proposed Corrective Actions 7/12 • Password protection can be bypassed • Windows O/S security can be bypassed • Use Windows 95, 98 as operating system only if you know using TWEAK.UI. Windows 3.1, DOS...Do not use these Systems • Password system does not ensure password expiration; passwords can be as short as 4 characters • There are no regulatory requirements behind this. In save systems such as ATM (automated teller machine) cards (e.g. Bankomat) the password does not age and is therefore never changed. These cards sometimes have also as short codes as 4 digits.
Findings and Proposed Corrective Actions 8/12 • Audit Trail Issues • System does not generate an audit trail • No audit trail for changes to clinical data in e-records • No audit trail • There are no immediate remedies. Show in plans when you are going to replace the Equipment. • TurboChrom audit trail switch was intentionally disabled • Be sure to have an existing audit trail switched on. • No SOPs or records for changes made to critical data • Have an SOP for the change of critical data in place.
Findings and Proposed Corrective Actions 9/12 Record Retention Issues • No assurance that e-records could be stored/retrieved for entire retention period • Have details in a procedure • Electronic files from lab instruments not properly maintained • Have clear maintenance procedures including maintenance of electronic files • Software allows overwriting of original data • Difficult. Software needs to be replaced.
Findings and Proposed Corrective Actions 10/12 • Failure to assure retention & security of PLC data captured by computer • Validate and test system • No procedure to control secure retention of master PLC programs, or to identify & retain all versions • Establish Change Control • Data files automatically deleted after printing • Difficult. Software needs to be replaced.
Findings and Proposed Corrective Actions 11/12 • Backup tapes were never restored & verified; tapes stored at employee's home • Test Backup procedure regularly E-Signature Control Issues • No written accountability procedures for actions taken under E-signatures • Establish procedure to make personnel accountable for their signatures. • No safeguards to prevent unauthorized use of E-signatures when employee leaves the workstation • Screensaver and Lock the screen procedure
Findings and Proposed Corrective Actions 12/12 • E-signature certification not sent to FDA prior to using E-signatures • Roche has sent out such a certification in 1998 Other Issues • Could not generate copies of e-records • Verify that copies can be generated. In Windows: Provide Screenshot (Press Print-Screen Button, open an empty Word Document, and press CTRL+V)