To effectively prepare for a visit from FDA, you must learn to look at your operations through the eyes of an FDA inspector. For your computerized systems, some items FDA inspectors and investigators are trained to observe include:
– Is data is being collected concurrently with the performance of your operations?
– Are systems designed to record non-conformances?
– Do systems question out-of-specification results but not borderline results?
– Are passwords shared, maintained on “Post-Its”, or found in the middle desk drawer?
– Are password restrictions logical (e.g., not re-used, not the same as user IDs, not just one character or space, or easily guessed)?
– Are adequate protections in place when employees leave or transfer — or IDs are compromised?
– Are systems left on and unattended?
– Are electronic signatures being used and, if so, has the firm filed a Part 11.100(c) notification?
– Are hybrid systems being used and, if so, how are handwritten signatures linked to electronic records?
– Are electronic copies of electronic records available?
– Does the firm truly understand “system validation”?
– Can records be altered without leaving a trace?
– Are changes to electronic records obvious and clearly flagged to indicate a change?
– Is the original data readable?
– Have system administrators been trained in network operations and security?
– Are systems open or closed — and what is being done to ensure the security of open systems?
To learn more about how FDA inspectors might examine your computerized systems, your software development and maintenance procedures, and your data integrity/data security efforts, attend EduQuest’s three-day flagship training class, FDA Auditing of Computerized Systems and Part 11/Annex 11, which has trained hundreds of FDA-regulated companies in the past 20 years.