Warning Letter regarding Insufficiencies Around Access Control
On 5 December 2019, the US FDA issued a Warning Letter (320-20-10) to the Australian firm Tismor Health and Wellness Pty Limited, following an inspection conducted from May 20 to 24, 2019. This Warning Letter is an excellent example of the remediation activities required by the US FDA when insufficiencies are found around access authorization.
Observation
This US FDA observation relates to 21 CFR Part 211.68(b). This section in the cGMP for the manufacturing of drugs and finished pharmaceuticals is connected with the automatic systems performing cGMP functions. With regard to e-records integrity, 211.68(b) provides the following principles:
- Access authorization
- I/Os verifications
- E-records storage and backups.
Specifically related with this observation, the concerned principle is access authorization:
Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).
Tismor Health and Wellness Pty Limited assigned administrative privileges to analysts conducting routine assay tests using an Empower chromatography software data system.
Users must only have access to the system functionality that is appropriate for their job role. The system owner must establish, via procedural controls, diverse authority for operation and system management. The user authority of the person responsible for the business process should match corresponding responsibilities, and should not be given the authority of system administrator. The administrator privileges should not be given to normal users on the system. There must be a segregation of duties.
During the review of the Empower chromatography audit trail for the firm's drug product, the investigator observed that more than 100 test results had been deleted since October 2017. Furthermore, over a 100 sample set results were aborted during this same period, although the firm lacked investigations.
As the result of not correctly assigning the access level to users, the firm quality system does not adequately ensure the accuracy and integrity of the data to support the safety, effectiveness and quality of the drugs manufactured. Without complete and accurate records, this firm cannot assure appropriate decisions regarding batch release, product stability, and other matters that are fundamental to ongoing assurance of quality.
The response of the firm
- Acknowledgement that analysts did not understand the implications of deleting data and attributed the problem to the lack of data integrity training at the firm
- The applicable procedural control did not contain requirements to regularly review audit trails
- The updated applicable procedural control includes guidance on management of users, assignment of administrative privileges, and the circumstances when administrative privileges can be used
- Investigation of previously deleted data and aborted sample sets
- The firm will take further actions depending on the outcome of this investigation
What does the FDA expect in response to this Warning Letter?
The firm's response to this observation was insufficient. For similar deviation to the regulations, the FDA expectations are:
- A comprehensive, independent assessment of the laboratory practices, procedures, methods, equipment, documentation, and analyst competencies. Based on this review, the firm should provide a detailed plan to remediate and evaluate the effectiveness of the laboratory system
- A comprehensive assessment and remediation plan to ensure that the quality unit (QU) is given the authority and resources to effectively function. The assessment should also include, but not be limited to:
- A determination of whether procedures used by the firm are robust and appropriate
- Provisions for QU oversight throughout the operations to evaluate adherence to appropriate practices
- A complete and final review of each batch and its related information before the QU disposition decision
- Oversight and approval of investigations and discharging of all other QU duties to ensure identity, strength, quality, and purity of all products
- The firm must describe how top management supports quality assurance and reliable operations, including but not limited to timely provision of resources to proactively address emerging manufacturing/quality issues and to assure a continuing state of control. - A comprehensive, independent assessment of computer system performance and security. A report is to be attached that identifies vulnerabilities in the design and controls, and a thorough corrective action and preventive action (CAPA) plan for each laboratory computer system, which addresses the following elements:
- A list of all hardware (both standalone and networked) and software used by the laboratory
- The firm should identify and evaluate vulnerabilities in performance and security of all of these computer systems, including but not limited to their configurations, administrative rights, password controls, audit trails capabilities and state of implementation for each system, qualification/validation status, deviation history, backup capabilities, network requirements, completeness of data records, suitability of current hardware/software for its intended use(s), change management, and management oversight
- More details regarding the associated user privileges for each system
- The firm should specify user roles and associated user privileges for all staff levels who have access to the laboratory computer system, and provide organizational affiliations, responsibilities, and titles. All staff with administrator privileges should be specified
- A full description how to ensure segregation of firm personnel involved with laboratory testing from those with administrator rights. For all staff roles that are permitted to have administrative rights, the scope and type of privileges should be specified
- Assessment of each system to determine if unique user names and passwords are used
- Evaluation of policies and procedures regarding computers and data governance, with special emphasis on audit trails, prohibiting data deletion, and appropriate modifications of results. How the firm will prevent data deletion and undocumented/inappropriate modifications of data should be specified. The firm should also describe how to ensure original data and how information is always preserved. The procedures for audit trail review should be provided
- Requirements for data retention and backup for all laboratory systems should be provided
- How the firm ensures that all quality control tests are performed by an analyst and receive second-tier review from a separate qualified individual (e.g., lab manager) should be described. Related procedure(s) should be provided
- The interim controls to assure reliable performance and security while the CAPA plan is being implemented should be summarized
Source: Warning Letter to Tismor Health and Wellness Pty., dated December 5, 2019
Author: Orlando Lopez