Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Records and Signatures: Warning Letters and Observations including proposed solutions.

Published byElfrieda Ellis Modified over 8 years ago

Similar presentations

Presentation on theme: "Electronic Records and Signatures: Warning Letters and Observations including proposed solutions."— Presentation transcript:

1 Electronic Records and Signatures: Warning Letters and Observations including proposed solutions

2 8Linweld (8/2/99), X 9Purepac (11/26/97), 10 Schein (3/2/00), X 11 Synthes (10/15/99), 12 Willis Eye Associates (7/7/98), 13 Ganes Chemicals (12/22/99) 14 Associated Regional University Pathologists (3/18/99). Red = Warning Letter Warning Letters and 483- Observations 1Ansell International (6/8/98), 2Cypress Bioscience (6/7/99), 3Fairbanks Memorial Hospital (4/28/99), 4Gensia Sicor (7/21/99), X 5Glenwood (5/20/99), 6Hydro Med Sciences (2/12/99), 7Johnson Matthey (3/7/00), X

3 Classification of 36 FDA-Observations from 14 Warning Letters and 483 27% 17% 11% 3% Procedures Authorisation System Audit Trail Issues Backup Password Change Control Data handling Goldsheet, October 2000 Recent Problems Observed in FDA-Inspections

4 Findings and Proposed Corrective Actions 1/12 Data edit rights available to all users –Restrict user authorizations to the necessary. Protect files wherever possible. Functions that "modify" or "delete" whole or partial data files available to all analysts –Restrict authorizations of people who can delete and modify All QC network users can edit permissions for fields, commands, and system menu functions; analysts can submit edited data All users can delete data, modify files, & overwrite raw data –Restrict authorizations

5 Findings and Proposed Corrective Actions 2/12 Original reports sent via email differed significantly from QA Manager's official reports –Do not send reports by email, without checksum or hash No evidence of system's ability to discern invalid or altered records –Evaluate the usage of checksums or other protection tools Inadequate HPLC controls; analysts can delete results –Check all Lab-Equipment that there are no “Delete” functions

6 Findings and Proposed Corrective Actions 3/12 Software does not secure data from alterations, loss, or erasure –Have Backup procedure in place. Evaluate new Software No written procedures for use of passwords, access levels, or data backup –Check if procedures are available User ID & password publicly posted for other employees' use –Keep the passwords secret, no group password

7 Findings and Proposed Corrective Actions 4/12 Employees terminated years earlier still had access privileges –Check list of authorized personnel and have a procedure in place that system administration is notified about changes in personnel No security procedures for lab computer systems; no security access levels established –Have different appropriate access levels defined in procedures and implemented in the lab No data file backup procedures –Check Backup Procedure

8 Findings and Proposed Corrective Actions 5/12 No password security on computer used for data entry and data transfer via the internet –Do not transfer the data via Internet except you are using encryption and have the corresponding procedures. No physical or password access controls on PLC to prevent unauthorized changes –Difficult one. PLCs should not be used to enter data or recipes. Lock PLCs in. PLCs – at least the old ones do not have any possibility to work with User access rights, passwords and the like. Needs to be solved procedurally if recipes are entered in PLC.

9 Findings and Proposed Corrective Actions 6/12 Primary CAD engineering drawings stored on unprotected computer –Define which drafts are relevant to GMP and need to be stored. Do not store GMP-relevant Data on unprotected computers No procedures to verify electronic SOPs against approved hardcopy prior to posting on company network –Verify formally all the documents that are distributed electronically. Validate the system.

10 Findings and Proposed Corrective Actions 7/12 Password protection can be bypassed Windows O/S security can be bypassed –Use Windows 95, 98 as operating system only if you know using TWEAK.UI. Windows 3.1, DOS...Do not use these Systems Password system does not ensure password expiration; passwords can be as short as 4 characters –There are no regulatory requirements behind this. In save systems such as ATM (automated teller machine) cards (e.g. Bankomat) the password does not age and is therefore never changed. These cards sometimes have also as short codes as 4 digits.

11 Findings and Proposed Corrective Actions 8/12 Audit Trail Issues System does not generate an audit trail No audit trail for changes to clinical data in e-records No audit trail –There are no immediate remedies. Show in plans when you are going to replace the Equipment. TurboChrom audit trail switch was intentionally disabled –Be sure to have an existing audit trail switched on. No SOPs or records for changes made to critical data –Have an SOP for the change of critical data in place.

12 Findings and Proposed Corrective Actions 9/12 Record Retention Issues No assurance that e-records could be stored/retrieved for entire retention period –Have details in a procedure Electronic files from lab instruments not properly maintained –Have clear maintenance procedures including maintenance of electronic files Software allows overwriting of original data –Difficult. Software needs to be replaced.

13 Findings and Proposed Corrective Actions 10/12 Failure to assure retention & security of PLC data captured by computer –Validate and test system No procedure to control secure retention of master PLC programs, or to identify & retain all versions –Establish Change Control Data files automatically deleted after printing –Difficult. Software needs to be replaced.

14 Findings and Proposed Corrective Actions 11/12 Backup tapes were never restored & verified; tapes stored at employee's home –Test Backup procedure regularly E-Signature Control Issues No written accountability procedures for actions taken under E-signatures –Establish procedure to make personnel accountable for their signatures. No safeguards to prevent unauthorized use of E-signatures when employee leaves the workstation –Screensaver and Lock the screen procedure

15 Findings and Proposed Corrective Actions 12/12 E-signature certification not sent to FDA prior to using E-signatures –Roche has sent out such a certification in 1998 Other Issues Could not generate copies of e-records –Verify that copies can be generated. In Windows: Provide Screenshot (Press Print-Screen Button, open an empty Word Document, and press CTRL+V)

Download ppt "Electronic Records and Signatures: Warning Letters and Observations including proposed solutions."

Similar presentations

How to Validate a Vendor Purchased Application

How to Validate a Vendor Purchased Application
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM

PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Document Control DAP Quality Conference May 12, 2008 Debbie Penn.

Document Control DAP Quality Conference May 12, 2008 Debbie Penn.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Lesson 13 PROTECTING AND SHARING DOCUMENTS

Lesson 13 PROTECTING AND SHARING DOCUMENTS
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
Instructions and forms

Instructions and forms
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Software Development Unit 2 Databases What is a database? A collection of data organised in a manner that allows access, retrieval and use of that data.

Software Development Unit 2 Databases What is a database? A collection of data organised in a manner that allows access, retrieval and use of that data.

Similar presentations

Ads by Google