Laboratory Systems - ER location and protection

Let’s say I have an analytical equipment connected to a computer where is installed the software required to perform the analysis. The equipment and the software are both a COTS system, although the software allows some degree of configuration to meet 21 CFR Part 11 requirements.

During software installation, was specified the location (folder) where my Data Files will be stored. When the user performs an analysis and press save button, the software prompts a window where the user can choose where to save the file, although by default, the software shows the folder identified during installation. The software does not prevent the user to save the data file in another folder different from the specified by default. If the analyst desires he can save the file in another location such as the desktop.

I have an audit finding related with described above because the auditor claims that there should not be possible to save the files in other locations other then the default folder, since it is a open door to fraud (he says that the analysts can “hide” the bad results).

For me this is a typical issue with analytical software’s where the data is saved in folders and apparently there is no simple solution for this.

What are your thoughts on this?

I was taught that if you can’t establish controls electronically, you may do so procedurally. However, procedural controls are considered temporary until electronic controls can be implemented. You should have a documented plan in place for how you plan to achieve compliance. It might also help if your company has a documented policy in place stating that hiding “bad” lab results and other forms of falsification are grounds for immediate dismissal.

I am very interested in what others have to say on this topic, including Graham!

Well, just because something feels bad doesn’t warrant a finding - the auditor needs to cite the requirement that’s being violated.

However, in this case, I would tend to agree. The approach you describe would not seem to support the requirements for ensuring accuracy, reliability, and ability discern invalid or altered records (21 CFR Part 11.10(a)) or the protection of records to enable their accurate and ready retrieval throughout the records retention period (11.10©).

COTS systems, no matter what the vendor might claim, need to be validated for their intended use in their use environment. You can take a perfectly designed and supported system and use it in a way that violates the requirements.

I would tend to agree with the auditor in this case.

This is a tricky one and if you can’t secure the files through the application then the only choice you have is to implement control procedurally…which is never the ideal option really.

Have you asked the vendor what have other companies done in the past in this scenario?

Also I would also review your vendor selection process and ask the person who did the Part 11 Assessment (I am assuming you did one) why this slipped through the cracks.