WL Stason Pharmaceuticals, Inc. JULY 08, 2020
2. Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).
Your firm lacked controls necessary to assure the integrity of electronic test data. Specifically, you failed to implement sufficient controls to support the integrity of your data and to ensure that only appropriate individuals had administrative rights.
Notably, a demonstration performed during the inspection revealed that the computer operating the (b)(4) spectrophotometer (ID: L-563) was not secured such that data files could be deleted without the knowledge of your quality unit. This instrument was used for finished product release and stability testing for several drug products.
Your response was inadequate because it failed to include a comprehensive review of all laboratory instruments to determine whether all user roles are appropriate. You acknowledged that your software was not working as intended and you lacked the necessary knowledge or experience to troubleshoot the issue. You noted that you are pursuing remediation for the (b)(4) spectrophotometer. Your response was insufficient because it lacked a retrospective assessment into how system vulnerabilities may have impacted data integrity...
In response to this letter, provide the following:
- A comprehensive, independent assessment and CAPA plan for computer system security and integrity. Include a report that identifies vulnerabilities in design and controls, and appropriate remediations for each of your laboratory computer systems. This should include but not be limited to:
o A list of all hardware that includes all equipment, both standalone and network, in your laboratory.
o Identification of vulnerabilities in hardware and software, encompassing both networked and non-networked systems (e.g., PLC).
o A list of all software configurations (both equipment software and LIMS) and versions, details of all user privileges, and oversight responsibilities for each of your laboratory systems. Regarding user privileges, specify user roles and associated user privileges (including the specific permissions allowed for anyone who has administrative rights) for all staff who have access to the laboratory computer systems, and their organizational affiliation and title.
o System security provisions, including but not limited to whether unique user names/ passwords are always used and their confidentiality safeguarded.
o Detailed procedures for robust use and review of audit trails, and current status of audit trail implementation for each of your systems.
o Interim control measures and procedural changes for the control, review, and full retention of laboratory data.
o Technological improvements to increase the integration of data generated through electronic systems from standalone equipment (e.g., balances, pH meters, water content testing) into the LIMS network.
o A detailed summary of your procedural updates and associated training, including but not limited to system security control to prevent unauthorized access, appropriate user role assignments, and other system controls.
o Provisions for oversight by QA managers, executives, and internal auditors with appropriate IT expertise (e.g., to evaluate infrastructure, configuration, network requirements, data management practices, and segregation of duties including administrator rights).
o A remediated program for ensuring strict ongoing control over electronic and paper-based data to ensure that all additions, deletions, or modifications of information in your records are authorized, and all data is retained. Include a full CAPA plan and any improvements made to date.
o An independent, thorough retrospective assessment into the impact of laboratory system design, control, and staff practices on your data accuracy, completeness, and retention since January 1, 2017.
o Identification of vulnerabilities in hardware and software, encompassing both networked and non-networked systems (e.g., PLC).
o A list of all software configurations (both equipment software and LIMS) and versions, details of all user privileges, and oversight responsibilities for each of your laboratory systems. Regarding user privileges, specify user roles and associated user privileges (including the specific permissions allowed for anyone who has administrative rights) for all staff who have access to the laboratory computer systems, and their organizational affiliation and title.
o System security provisions, including but not limited to whether unique user names/ passwords are always used and their confidentiality safeguarded.
o Detailed procedures for robust use and review of audit trails, and current status of audit trail implementation for each of your systems.
o Interim control measures and procedural changes for the control, review, and full retention of laboratory data.
o Technological improvements to increase the integration of data generated through electronic systems from standalone equipment (e.g., balances, pH meters, water content testing) into the LIMS network.
o A detailed summary of your procedural updates and associated training, including but not limited to system security control to prevent unauthorized access, appropriate user role assignments, and other system controls.
o Provisions for oversight by QA managers, executives, and internal auditors with appropriate IT expertise (e.g., to evaluate infrastructure, configuration, network requirements, data management practices, and segregation of duties including administrator rights).
o A remediated program for ensuring strict ongoing control over electronic and paper-based data to ensure that all additions, deletions, or modifications of information in your records are authorized, and all data is retained. Include a full CAPA plan and any improvements made to date.
o An independent, thorough retrospective assessment into the impact of laboratory system design, control, and staff practices on your data accuracy, completeness, and retention since January 1, 2017.
- A complete assessment of documentation systems used throughout your manufacturing and laboratory operations to determine where documentation practices are insufficient. Include a detailed CAPA plan that comprehensively remediates your firm’s documentation practices to ensure you retain attributable, legible, complete, original, accurate, contemporaneous records throughout your operation.
