|
Die Anforderungen an Laboratory Information
Management Systems (LIMS) und Chromatography Data Systems (CDS) sind u.a. in der
amerikanischen Guidance 21 CFR Part 11 (Electronics Records; Electronic
Signatures) geregelt. Allerdings hat die amerikanische Food & Drug
Administration (FDA) ihre Interpretation der Guidance in Form von verschiedenen
Draft Guidances schon Anfang 2003 zurückgezogen, nachdem diese Interpretationen
die Industrie vor vielfältige Probleme gestellt hatten. Auch die bereits für
Ende 2005 in Aussicht gestellte Neufassung der Guidance hat die Behörde bis
heute nicht veröffentlicht. Außerdem sind die Anforderungen auch in anderen
Regelwerken alles andere als eindeutig definiert, wie unterschiedliche
Auslegungen beweisen.
Trotzdem haben Warning Letters der FDA aus dem Jahr 2006 gezeigt, dass die
Behörde LIMS/CDS in Inspektionen keineswegs vernachlässigen und dass die
Industrie der Thematik eine erhöhte Bedeutung zumessen sollte.
Auszüge aus FDA Warning Letters:
Beispiel 1:
"Laboratory records failed to include the initials or signature of a
second person showing that the original records have been reviewed for accuracy,
completeness, and compliance with established standards [21 CFR 211.194(a)(8)].
The above discussed manipulations were performed by analysts using the …
Chromatographic Data System (CDS)… . Although the audit function is used in your
procedures, there is no specific requirement regarding any review of the audit
trails, and your records failed to include documentation that a second person
had conducted such a review. In fact, our investigator was told that no such
audit had ever been performed. However, a second person must review these audit
trails, particularly given the lack of controls for preventing data
manipulation. Such an audit may well have detected the data manipulation which
was occurring at your facility."
Beispiel 2:
"Failure to employ appropriate controls over computer or related systems
to assure that changes in master production and control records or other records
are instituted only by authorized personnel
[21 CFR § 211.68(b)].
For example, your firm has inadequate security measures in place to assure
the integrity and reliability of data generated by your laboratory. During the …
inspection, our investigators observed your laboratory analysts operating
computers under different analysts' names. Your analysts told our investigators
that using other laboratory personnel's names and passwords was a common
occurrence in your firm's laboratory while using your … laboratory software."
Beispiel 3:
"Appropriate controls are not exercised over computers or related systems
to assure that changes in analytical methods or other control records are
instituted only by authorized personnel [21 CFR § 211.68(b)].
Specifically:
a) Laboratory managers (QC and R&D) gained access to the … computer system
through a common password. Analysts were not required to use individual
passwords; they operated the system following the login by the laboratory
managers.
b) Due to the common password and lack of varying security levels, any analyst
or manager has access to, and can modify any HPLC analytical method or record.
Furthermore, review of audit trails is not required."
|
