Sep 13, 2022

Do you have sufficient controls over computerized systems ?-Case Study from Warning Letters

Do you have sufficient controls over computerized systems ?-Case Study from Warning Letters

You have computerized systems on your site.

Have you ensured that you have enough control over computerized systems?

Read these Case studies extracted from Warning Letters:

3. Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).

This observation was given due to the following reasons:

The firm lacked sufficient controls over your HPLC data acquisition systems used in the testing of drugs for release.

The firm's Series of HPLC instruments did not have sufficient controls to prevent the deletion and alteration of raw data files.

During the inspection, the investigators observed laboratory personnel performing drug testing and analyses. Personnel had administrative privileges to the (b)(4) operating software for the HPLC equipment. These privileges included but were not limited to, the ability to delete data sequences and change method parameters.

In addition, the HPLC instrument was found to be operating in the absence of an activated audit trail to record information about each analytical test, such as:

• Type of injection
• Date and time
• Identity of analyst
• Nature of action taken and reason

The firm stated that data from the HPLC was not securely backed up and you did not review the HPLC audit trail data. In addition, the firm failed to validate electronic signatures used to approve analytical testing records for release testing of drugs performed from at least January 2020, to September 2021.

4. Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and failure to establish and follow written procedures for the operation and maintenance of your computerized systems.

The firm has insufficient controls over CGMP data. For example:

• The firm lacked unique passwords for laboratory instruments used to generate analytical data for finished API products.

• The firm's analytical systems lacked controls to prevent users from deleting electronic data.

• The firm lacked procedures governing the review of audit trails of both production and laboratory equipment by your QU.

• The firm lacked procedures or controls for critical alarms for their production process.

The firm response was inadequate as per the Regulatory Authority. The firm proposes to issue unique passwords and establish an audit trail and review procedure.

The firm's response does not include interim control measures and procedural changes for the control and review of analytical data.

The firm also has not specified the frequency of audit trail reviews of your analytical instrument systems. In addition, they do not provide details for evaluating criteria for the selection of critical process steps for alarms.

Lastly, you do not commit to performing a retrospective review of laboratory and production data to evaluate the impact of inadequate controls over CGMP data on the reliability of your results.

Assignment for you:

Audit your site whether your site has sufficient control over the computer systems or not.

Draft guidance on Computer Software Assurance for Production and Quality System Software has been released.

Click the below link to read the guidance;

Draft guidance on Computer Software Assurance for Production and Quality System Software