Need Help With Computer System Validation?

by Zener Engineering Services Ltd
•
08 May, 2024
•

Are Your Electronic Records and Signatures Secure?

From the late 1980s onwards, validation of computer systems in pharmaceutical manufacturing has assumed much greater importance, due to increased regulatory scrutiny by the FDA and the MHRA. The issue of electronic data integrity and security was again highlighted by the Enron financial scandal, which resulted in a massive fraud, where shareholders lost tens of billions of dollars. Many Enron executives, Enron’s accounting firm, and certain bank officials, were prosecuted.

So how does this all apply to patient safety? Simply ‘Data Integrity is Data integrity, regardless of what the data applies to,' according to Zener Engineering Services Director and CSV expert David Easton.

David explains 'The shape and size of the validation strategy for a Computer System depends on the extent and detail of the user requirements. The validation activity must test and ensure the reliability, consistent intended performance, and ability to discern invalid or altered records, of any computer system.'

Here are some basic functionality requirements, which should be validated to ensure the integrity and security of data. While the list below is not comprehensive, GxP Computer Systems should have the ability to:

Generate accurate and complete copies of records in both human-readable and electronic form, suitable for future inspection, review, and copying.
Protect records to ensure their accuracy, and have the ability for record retrieval, throughout the records' retention period.
Provide limited system access – to authorised individuals only.
Utilise a secure, computer-generated, and time-stamped, audit trail to independently record the date and time of entries and actions that create, modify, or delete, electronic records.
Record changes which do not obscure previously recorded information.
Have a system password requirement of a minimum of six characters.
Enforce password change at least every six months.

It is vital that quality is built into GxP Computer Systems during their development and commissioning, and, equally, that any GxP Computer System is operated and maintained in a compliant manner, ensuring the integrity and security of data. The goal of the qualification exercise performed by the end organisation should be to end up with a validated, compliant Computer System that meets the spirit of all current computer system regulatory expectations to help safeguard the patient, by building upon existing good practice from industry, in an efficient, effective, manner.

Lack of Understanding?

In the experience of ZES Director David Easton, there seems to be a lack of understanding in some quarters regarding the issues surrounding electronic data security and integrity for Computer System.

David said 'As an example, an organisations Director told me that the electronic data stored on a particular Computer System, for medical devices, was ‘safe and secure’, based on the fact that the system had a ‘front-end’ password. The system in question, was, in fact, the most insecure I’ve ever worked on, due to the ability of any employee, once signed in via the front-end password, to change any record, including critical results, without any audit trail of when the actual change was made, or by whom. The Computer System was new to the organisation.

David continued 'I also recall that an employee called David, who sat behind me, typed in a password **** to gain access to a Computer System, at which point I asked the employee: ‘Please tell me your password isn’t ‘DAVE’, to which the employee replied ‘Yes, and I’ve had it for four years’.

In 2014 David was involved with an East Midlands pharmaceutical company, where the Site Director gained access to a GxP Computer System with the password - 'let me in'. 'The understanding and regard that some pharmaceutical and medical device companies place on computer system Security and Data Integrity is some what lacking in certain areas.'