Download presentation
Presentation is loading. Please wait.
Published byElfrieda Ellis Modified over 9 years ago
1
Electronic Records and Signatures: Warning Letters and Observations including proposed solutions
2
8Linweld (8/2/99), X 9Purepac (11/26/97), 10 Schein (3/2/00), X 11 Synthes (10/15/99), 12 Willis Eye Associates (7/7/98), 13 Ganes Chemicals (12/22/99) 14 Associated Regional University Pathologists (3/18/99). Red = Warning Letter Warning Letters and 483- Observations 1Ansell International (6/8/98), 2Cypress Bioscience (6/7/99), 3Fairbanks Memorial Hospital (4/28/99), 4Gensia Sicor (7/21/99), X 5Glenwood (5/20/99), 6Hydro Med Sciences (2/12/99), 7Johnson Matthey (3/7/00), X
3
Classification of 36 FDA-Observations from 14 Warning Letters and 483 27% 17% 11% 3% Procedures Authorisation System Audit Trail Issues Backup Password Change Control Data handling Goldsheet, October 2000 Recent Problems Observed in FDA-Inspections
4
Findings and Proposed Corrective Actions 1/12 Data edit rights available to all users –Restrict user authorizations to the necessary. Protect files wherever possible. Functions that "modify" or "delete" whole or partial data files available to all analysts –Restrict authorizations of people who can delete and modify All QC network users can edit permissions for fields, commands, and system menu functions; analysts can submit edited data All users can delete data, modify files, & overwrite raw data –Restrict authorizations
5
Findings and Proposed Corrective Actions 2/12 Original reports sent via email differed significantly from QA Manager's official reports –Do not send reports by email, without checksum or hash No evidence of system's ability to discern invalid or altered records –Evaluate the usage of checksums or other protection tools Inadequate HPLC controls; analysts can delete results –Check all Lab-Equipment that there are no “Delete” functions
6
Findings and Proposed Corrective Actions 3/12 Software does not secure data from alterations, loss, or erasure –Have Backup procedure in place. Evaluate new Software No written procedures for use of passwords, access levels, or data backup –Check if procedures are available User ID & password publicly posted for other employees' use –Keep the passwords secret, no group password
7
Findings and Proposed Corrective Actions 4/12 Employees terminated years earlier still had access privileges –Check list of authorized personnel and have a procedure in place that system administration is notified about changes in personnel No security procedures for lab computer systems; no security access levels established –Have different appropriate access levels defined in procedures and implemented in the lab No data file backup procedures –Check Backup Procedure
8
Findings and Proposed Corrective Actions 5/12 No password security on computer used for data entry and data transfer via the internet –Do not transfer the data via Internet except you are using encryption and have the corresponding procedures. No physical or password access controls on PLC to prevent unauthorized changes –Difficult one. PLCs should not be used to enter data or recipes. Lock PLCs in. PLCs – at least the old ones do not have any possibility to work with User access rights, passwords and the like. Needs to be solved procedurally if recipes are entered in PLC.
9
Findings and Proposed Corrective Actions 6/12 Primary CAD engineering drawings stored on unprotected computer –Define which drafts are relevant to GMP and need to be stored. Do not store GMP-relevant Data on unprotected computers No procedures to verify electronic SOPs against approved hardcopy prior to posting on company network –Verify formally all the documents that are distributed electronically. Validate the system.
10
Findings and Proposed Corrective Actions 7/12 Password protection can be bypassed Windows O/S security can be bypassed –Use Windows 95, 98 as operating system only if you know using TWEAK.UI. Windows 3.1, DOS...Do not use these Systems Password system does not ensure password expiration; passwords can be as short as 4 characters –There are no regulatory requirements behind this. In save systems such as ATM (automated teller machine) cards (e.g. Bankomat) the password does not age and is therefore never changed. These cards sometimes have also as short codes as 4 digits.
11
Findings and Proposed Corrective Actions 8/12 Audit Trail Issues System does not generate an audit trail No audit trail for changes to clinical data in e-records No audit trail –There are no immediate remedies. Show in plans when you are going to replace the Equipment. TurboChrom audit trail switch was intentionally disabled –Be sure to have an existing audit trail switched on. No SOPs or records for changes made to critical data –Have an SOP for the change of critical data in place.
12
Findings and Proposed Corrective Actions 9/12 Record Retention Issues No assurance that e-records could be stored/retrieved for entire retention period –Have details in a procedure Electronic files from lab instruments not properly maintained –Have clear maintenance procedures including maintenance of electronic files Software allows overwriting of original data –Difficult. Software needs to be replaced.
13
Findings and Proposed Corrective Actions 10/12 Failure to assure retention & security of PLC data captured by computer –Validate and test system No procedure to control secure retention of master PLC programs, or to identify & retain all versions –Establish Change Control Data files automatically deleted after printing –Difficult. Software needs to be replaced.
14
Findings and Proposed Corrective Actions 11/12 Backup tapes were never restored & verified; tapes stored at employee's home –Test Backup procedure regularly E-Signature Control Issues No written accountability procedures for actions taken under E-signatures –Establish procedure to make personnel accountable for their signatures. No safeguards to prevent unauthorized use of E-signatures when employee leaves the workstation –Screensaver and Lock the screen procedure
15
Findings and Proposed Corrective Actions 12/12 E-signature certification not sent to FDA prior to using E-signatures –Roche has sent out such a certification in 1998 Other Issues Could not generate copies of e-records –Verify that copies can be generated. In Windows: Provide Screenshot (Press Print-Screen Button, open an empty Word Document, and press CTRL+V)
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.