Recent observation on IT system controls
Is that companies are not serious about data integrity or users are not trained enough on Data integrity.
Yes, recently FDA has issued a warning letter for pharmaceutical company for multiple observation as follows,
# ?Analyst had access to delete and overwrite data
# Over 100 deleted files observed in recycle bin on IR and UV spectrometer computers
# Multiple analytical batch files were deleted
# Unique ID and password for analytical software and generic windows credentials
# Backup practice was not exercised for standalone system
# Failure to trace the previous drug analysis data
For More IT System Observation: Please check Visit:" COMPUTER SYSTEM VALIDATION / ITQA" Group
Observation:
a)??????Analyst had access to delete and overwrite data
b)?????Over 100 deleted files observed in recycle bin on IR and UV spectrometer computers
c)??????Multiple analytical batch files were deleted
Requirement: ?? 11.10 (C) Protection of Records
CAPA:
·??????During the validation, the user privileges matrix should be assigned as per the R&R and same has been verified during the validation to prove that user or administrator is not able to delete any electronic data. ?Hence the possible root cause might be, either the inadequate validation or User privilege matrix would have modified after the validation.
领英推荐
·??????Hence it is recommended that the investigation should start retrospectively from the initial validation through current data release. With the help of data recovery software, recover the deleted files from the date of Analytical software installation. And each GxP deleted data should go for the detailed impact analysis of the released batches. Also ensure the respective batch stability data to prove that the release drug is not having any effects for human consumption.
·??????As preventive action other GxP system must be verified to ensure that the manufacturing electronic data was not deleted. And the user privileges should be reviewed and approved by the QA. The same has been verified again with the minimal validation to prove user or administrator deletion is completely restricted. And the administrator role is assigned to IT user. Also, the organization should have a serious policy against Data integrity violations.
?Observation: ?
d) Unique ID and password for analytical software and generic windows credentials
?Requirement: ?? 11.300 (a) Unique ID & Password. ? 11.10 (d) Limited system access to the authorized individuals.
?CAPA: The possible root cause might be, the IT systems / server is not configured or not capable to have unique windows credentials or lack of awareness on part 11 requirement with IT Users. As corrective action all the GxP system needs to be verified to ensure that the users are not having access to the data storage location. If they have access retrospective analysis shall be performed to ensure the raw / meta data is not deleted from the respective storage location. Run a data recovery software to recover the deleted files (if any).
As a preventive action, the system shall be upgraded or configured to have unique user windows credentials. The local storage access shall be restricted to the users. Periodic active users list needs to be reviewed and authorized by the Quality unit.
?Observation: ?
e) Backup practice was not exercised for standalone system
?Requirement: ?? 11.10 (C) Protection of Records
?CAPA: The possible root cause might be lack of procedure for backup, restore and Disaster recover.
As a corrective action back up schedule shall be prepared, and backup interval shall be assigned based on the data / system criticality. Well governed procedure should be in place for backup, restore and Disaster recovery. All the GxP data shall be back up and made available at any time. Secondary backup should be available to ensure that data is available at any critical disasters.
As a preventive action frequent back drill shall be exercised and users are trained on the backup and restoration practice.
Observation: ?
f) Failure to trace the previous drug analysis data
?Requirement: ?? 11.10 (k) control over documentation, ?? 11.10 (b) Accurate generation of copies
?CAPA: The possible root cause might be inadequate investigation or investigation was not conducted in detail.
As a corrective action investigation shall be conducted with the traceability through the original source data.
CSV SME, QMS, Pharmaceutical Regulations. FDA 21CFR part 11, EU Annex 11, ISO 13485, Agile, SAP S4 Hana Validation, Infrastructure Qualification, Cloud Migration & Qualification, Change Management, CAPA, Audits
2 年Not surprising. There are very few compliance resources available who are well versed in data integrity. I have seen so many gaps myself. So, can imagine what FDA must have found out.