Where are you now? Regulatory Basis > Warning Letters > Warning Letters Digest > 21 CFR Part 11
21 CFR Part 11 Related Warning Letters
The US Food and Drug Administration (FDA) published its electronic records and signatures regulation on March 20, 1997, taking effect from Aug. 20, 1997. The rule applies to any electronic record keeping activity which replaces traditional paper-based methods required by federal statute or regulation in all FDA-regulated areas.
According to recent US polls, less than 11 % of affected companies comply with 21 CFR Part 11 requirements. Despite this low percentage, manufacturers who acknowledge the direct benefits it affords them have readily accepted the Rule. It is apparent however that implementation requires an enormous restructuring procedurally, administratively and financially. When taking into account the complexities of fully implementing the Rule, together with the considerable financial investment it requires, there is little doubt that it will take several more years to achieve full compliance.
Although the FDA is fully aware of these difficulties, the increasing number of Warning Letters being issued is a clear indication that the agency is gradually adopting a firmer stance in its expectations for a more rapid and full deployment of the 21 CFR Part 11 requirements by those companies electing to adopt it.
These files are in Adobe PDF format.
Click on the "Get Acrobat Reader" icon on the left of the page to
download a free copy of the Acrobat Reader.
Earlham College, 2002-07-29
"Our Investigator noted that the laboratory is using an electronic record system for processing and storage of data from the atomic absorption and HPLC
instruments that is not set up to control the security and data integrity in that the system is not password controlled, there is no systematic back-up provision, and there is no audit trail of the system capabilities. The system does not appear to be designed and controlled in compliance with the requirements of 21 CFR Part 11, Electronic Records."
Cardinal Enterprises, Inc., 2001-12-07
"Master production and control records are not prepared, dated, and signed by one person with a full handwritten signature and independently checked, dated and signed by a second person. Master production records are generated from a computer as electronic records without any apparent controls to assure authenticity and integrity."
Sorenson Development, Inc., 2001-10-17
"Computer and/or automated data processing system software used in production and quality systems, including the use of electronic signatures, has not been validated."
Luneau S. A., 2001-10-12
"During the FDA inspection it was discovered that electronic records are used to establish portions of your design output, 21 CFR 820.30(d). However, there is no documentation to establish that these records meet the requirements of 21 CFR Part 11, Electronic Records; Electronic Signatures. The requirements of 21 CFR Part 11 are designed to ensure that electronic records are trustworthy, reliable, and generally equivalent to paper records."
"For example, drawing collection set is considered an electronic record. There is no documentation to establish that the system by which these records were produced has been properly validated. There is no ability to generate accurate and complete copies of records in human readable and electronic form. There is no protection of records to enable their accurate and ready retrieval. Access to your system has not been limited and there are other significant deficiencies as well.....Only electronic records and electronic signatures that meet part 11 requirements may be used to satisfy record and signature requirements of 21 CFR 820.30(d), Design Output."
Michigan Instruments, Inc., 2001-10-01
"During the FDA inspection it was discovered that electronic records are used to establish the firm's Complaint Files, 21 CFR 820.198. However there is no documentation to establish that these electronic records meet the requirements of 21 CFR Part 11, Electronic Records; Electronic Signatures. For example: review of your electronic complaint files reveals they have not been properly validated, there is no ability to generate accurate and complete copies of records in human readable and electronic form, there is no protection of records to enable their accurate and ready retrieval, access to your system has not been limited, as well as other significant deficiencies.....Only electronic records and electronic signatures that meet 21 CFR Part 11 may be used to satisfy the requirements of 21 CFR 820.198 Complaint Files."
Cardinal Health, Inc., 2001-07-10
"Failure to have an adequate validation procedure for computerized spreadsheets used for in-process and finished product analytical calculations. The current validation procedure uses only the values that result in within specification findings, aberrant high findings, and aberrant low findings [21 CFR 211.165(e)]."
"Failure to use fully validated computer spreadsheets to calculate analytical results for in-process and finished product testing [21 CFR 211.165(e)]."
"Failure to have appropriate controls over computerized laboratory systems to assure that changes in or deletions of records are instituted only by authorized personnel [21 CFR 211.165(e)]."
EP MedSystems, 2001-07-10
"Your firm failed to validate several computer databases that are used for quality functions including your Access database, your xxxxx software, and your MS Excel spreadsheet program as required by 21 CFR 820.70(i)."
Aventis Bio-Services, 2001-06-29
"Employee training on the use of the new xxxxx computer system, which is used in donor screening and product processing, was not-complete. Employees were not very familiar with this computer system. Additionally, the center director had not received any training on this computer system even though he retains a high security level for data entered on this computer system."
"The validation and installation records for the xxxxx computer system were incomplete. Installation of this system was performed on 11/1 7/2000, however the validation study was not formally approved until 4/1 9/2001."
Stough Enterprises, 2001-04-18
"Failure to establish and implement adequate computer security to assure data integrity in that during this inspection it was observed that an employee was found to have utilized another person's computer access to enter data into the Plasma Center Module computerized record keeping system [21 CFR 211.68(b)]. Review 21 CFR 11 for regulations pertaining to the utilization of electronic records and signatures, and security controls pertaining to both."
Cardiomedics, Inc., 2001-04-13
"No procedures for the development of software used to control devices."
"The software used for the operation of the CardiAssist Counter Pulsation system was not properly validated. Problems with this software have been identified and corrective measures have been undertaken to replace this software version."
Omicron Quimica, S.A., 2001-04-11
"Laboratory worksheets were not always checked by a second individual and crossed-out data on the worksheets was not always observed to have been initialled and dated by the person changing the data."
"The validation records lacked operator identification, dates of processing, and signature or date of the person approving the report."
NeuroControl Corp., 2001-04-09
"The recent FDA inspection revealed that your firm is also utilizing electronic record keeping (a new Field Reports Database) in your CAPA procedure. In your letter, it was indicated that the Field Reports Database is currently being validated and is scheduled for full implementation. However, your response did not outline your firm's global action plan to address all record keeping issues at your firm."
Allergy Laboratories of Ohio, Inc., 2001-01-23
"Manual verification of calculations and inventory tracking with the existing computer software that has been found to be problematic is not an adequate reason for lack of validation. Existing computer software should be validated or replaced."
Aventis Behring, L.L.C., 2001-01-22
"Failure to exercise appropriate controls over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel [21 CFR 211.68(b)] in that changes were not implemented to restrict access and entry of data by Chiron Behring employees after they were no longer entering sterility testing results into Aventis Behring's laboratory information management system (LIMS)."
Pharmacia Corporation, 2001-01-11
"The xxxxx equipment's computer used for xxxxx filling operations which retains equipment errors that occur during filling operations, lacked the capacity to retain electronic data. After every 15th filling operation, the information was overwritten due to the storage capacity of the equipment's hard drive."
Leiner Health Products, Inc., 2000-09-22
"Please provide more detail regarding the computer validation procedures you have committed to in your FDA-483 response. It is unclear to the District that your procedures encompass all the requirements of 21 CFR 211.68. Automatic, mechanical, and electronic equipment, and 21 CFR Part 11, ELECTRONIC RECORDS; ELECTRONIC SIGNATURES."
Paradigm Medical Industries, Inc., 2000-08-30
"It is also noted in the inspection report that you do not have adequate control over the receipt of study data and its subsequent input into the database. There are no records to show when study data is received and when it is entered into the database. There is also no audit trail for changes made to the database. No data queries or clarifications have ever been generated and sent to the sites to verify missing information or to clarify discrepancies."
"Electronic records, the subject of SOP-100-720, Electronic Database Maintenance, are subject to 21 CFR Part 11- Electronic Records; Electronic Signatures, as well as to the record keeping regulations found in 21 CFR 812.140."
Baxter Healthcare Corporation, 2000-08-11
"We further request details regarding steps your firm is taking to bring your electronic cGMP records into conformance with the requirements of 21 CFR Part 11; Electronic Records; Electronic Signatures....."
"This inspection disclosed deficient controls in the laboratory electronic record keeping system, which is used for maintaining chromatography and audit trails. In addition to a response to the deficiencies noted earlier in this letter, please outline your firm's global corrective action plan, including timeframes for correction, to address this Part 11 issue...."
Integrity Pharmaceutical Corporation, 2000-07-11
"Failure to have appropriate controls over computer or related systems to assure that changes in records are instituted only by authorized personnel, as required by 21 CFR 211.68(b)."
Sani-Pure Food Laboratories, 2000-06-14
"The computer software your firm uses to determine metals analysis is deficient. It has no security measures to prevent unauthorized access of the software, no audit trails, and data can be copied or changed at will, with no documentation of the copying or changes. Your procedures do not require the documentation of calculation or entry errors. There is no documentation to indicate that analysts are trained in the software and its applications."
Schering-Plough Corporation, 2000-05-08
"Failure to maintain complete data from all laboratory tests as required by 21 CFR 211.94 (a). There is no back-up file for laboratory UV spectrophotometer test results for some tests. The spectrophotometer does not automatically back-up data and the analyst is required to assign an identification number to each individual chromatogram in order for it to be saved. In some cases, original data was lost and the tests had to be performed again to determine final distribution of the lots."
Johnson Matthey, Inc., 2000-03-07
"Your firm failed to implement appropriate controls over your High Performance Liquid Chromatography (HPLC) to assure that only authorized changes can be made. It was noted during the inspection that there is an option on the HPLC that allows analysts to delete results after they are processed."
Schein Pharmaceutical, Inc., 2000-03-02
"Failure to maintain the integrity and adequacy of the laboratory's computer systems used by the Quality Control Unit in the analysis and processing of test data. For example: there was a lack of a secure system to prevent unauthorized entry in restricted data systems. Data edit authorization rights were available to all unauthorized user not only the system administrator."
Linweld, Inc., 1999-08-02
"We request further details regarding steps your firm is taking to bring your electronic CGMP production records into conformance with the requirements of 21 CFR Part 11; Electronic Records; Electronic Signatures."
"Our inspection disclosed numerous and significant deviations from part 11. Examples include: a) The system does not generate an audit trail, and there is no way to determine if values have been changed on batch production records....; b) No written procedures that would hold individuals accountable for actions taken under their electronic signatures....; c) No documentation or testing of the system's ability to discern invalid or altered records....; d) No documentation to show if the system has the ability to generate accurate and complete copies of records in electronic form; copies of electronic records cannot be generated at these sites....; e) No safeguards to prevent unauthorized use ef electronic signatures that are based on identification codes/passwords when an employee who has logged onto a terminal leaves the terminal without logging off....."
Gensia Sicor Pharmaceuticals, Inc., 1999-07-21
"Failure to maintain laboratory records to include complete data derived from all tests necessary to assure compliance with established specifications and standards [21 CFR 211.194]. Specifically, your firm failed to properly maintain electronic files containing data secured in the course of tests from 20 HPLCs and 3 GLCs. Additionally, no investigation was conducted by your company to determine the cause of missing data and no corrective measures were implemented to prevent the recurrence of this event."
North American Science Associates (NAmSA), 1998-11-24
"Failure to maintain adequate controls over computers and related systems to assure that changes in the master production and control records or other records are instituted only by authorized personnel [21 CFR 211.68(b)]. For example: (1) there is no current listing of individuals who have access to the Customer Service Unit's database program or to what level of access each individual has; (2) there is no procedure in place to grant, modify or remove access privileges to this software."
"The Customer Service Unit's (CSU) database program which generates the sample test worksheets that are identified by sequential sample numbers, allows for the multiple printing of these worksheets. Copies will have the same sample number as the original without any indication which version is the original and which is a subsequent copy. Further, there is no audit trail within the computer that identifies how many worksheets have been generated for a given sample number."
"The procedure entitled 'Approval of Raw Data', allows for managers to approve their own work. Therefore, work they perform and approve does not require the initials and signature of a second person showing that the work has been reviewed for accuracy, completeness and compliance with standards."
AccuMed Inc., 1998-06-09
"Your Waters HPLC hardware and software system used for assay testing of products in the laboratory has not been qualified or validated. There are also no written procedures for the security of data files, password control, access levels, and functions, or preventative maintenance."
Bayer Corporation, 1998-01-30
"Failure to assure that input and output from a computer has been checked for accuracy [21 CFR 211.68(b)]. For example: the database of microbial sampling results is not maintained in a manner that facilitates complete and accurate review of the data in that the employees' initials are not entered consistently."
Rhone-Poulenc, Inc., 1997-01-07
"The computer validation protocol fails to address process changes and software maintenance and does not provide for a back up system or schedule nor specify who has authority to access specific programs or make software changes."
Berlex Laboratories, Inc., 1996-12-03
"Appropriate controls are not exercised over the xxxxx software, used by Quality Control and Technical Services, to assure that changes in laboratory control records are instituted only by authorized personnel."
"Without an audit trail to check the use of these functions how is your firm assured that appropriate control has been exercised? Your SOP xxxxx does not define the level of authority needed to execute these commands."
"Security measures have not been instituted to prevent unauthorized access to the xxxxx system used in the Quality Control and Technical Services Laboratory for Fludara raw material and finished product testing."