Most regulated organizations are well aware of the need to deliver the core suite of planning, user requirement, functional and design specification, testing protocol, and summary report documentation required to complete a successful validation of their computerized system. And they are very conscientious to adhere to the requirements found the first eight paragraphs of 21 CFR, Part 11, Sec. 11.10, Controls for closed systems. These are, of course, “(a) validation of systems, (b) copies of records, (c) protection of records, (d) Limiting system access to authorized individuals, (e) audit trails, (f) operational system checks, (g) authority checks, and (h) device checks”. However, training records and user authorizations system controls are an easily overlooked and/or underestimated element of the validation effort and software lifecycle. Not to mention, the FDA has specific expectations with regard to these.
The next paragraph, Sec. 11.10 (i), regards “Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.” It is suggested organizations not discount this requirement when delivering a validation package for their new system or system changes.
Keep in mind that a computer system may be fully technically qualified, but it is not fully validated unless the personnel who will perform their task in the system are fully qualified to correctly apply its work processes, electronic records, and electronic signatures. Compliance with this requirement involves something more than just an undocumented decision-making process.
One approach is that a training plan should be designed, approved, and implemented to address the qualification of personnel who will be accessing the system at all levels. The plan should prescribe curricula specific to each level of access and permissions. The plan should also include or refer to policy and procedures that govern the maintenance of training records. It is important that these training records be created and maintained for any GxP system, as this is often the go-to “litmus test” for auditors, because it gives them an initial indication of the validated state of the system.
Second, a security plan should be designed and implemented that includes procedures for processing formal user access requests and the granting system permissions. This also ties back to paragraph (d), which calls for limiting system access to authorized individuals. Authorization should only be granted to personnel who meet the appropriate criteria of qualification under the system’s training plan. Access request and the procedures used to process those requests should be formalized and approved by the appropriate stake holder(s). The plan should also dictate a process for removing users from the system and conducting periodic reviews to ensure that users no longer have access to system task for which the no longer have authorization.
In its April of 2016 published draft of, ‘Data Integrity and Compliance with CGMP Guidance for Industry.’ the FDA reminds us that “You must exercise appropriate controls to assure that changes to computerized MPCRs, or other records, or input of laboratory data into computerized records, can be made only by authorized personnel (21 CFR §211.68(b)).” It also refers to “21 CFR§211.25 and §212.10, which state that personnel must have the education, training, and experience, or any combination thereof, to perform their assigned duties.” In a query of the database of FDA Form 483s issued between October 1, 2012 and February 8, 2016 out of 280 computer system related citations, 84 were cited as appropriate controls not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel.