Is your CDS administration under control? Yes? You’d better be prepared to prove it!
Control of Administration Console Settings
FDA 483 Warning letter [extract]
There are no written procedures for this computer system that outlines the responsibilities and privileges of the laboratory personnel who utilize the software
It describes training requirements for new users and what users at each level can do and access.
During many audits I have been asked a multitude of questions about this SOP and Chromeleon User access and control, for example:
Auditor: ‘What’s to stop you just making changes and turning them back once an action had been completed?”
Me: ‘Changes can only be made by an Admin and they are recorded in the admin audit trail’
Auditor: ‘Who has administration access and privileges?’
Me: ‘1 x IT department / 1 x QA’
Auditor: ‘Are the audit trails active and who can switch them off?’
Me: ‘Yes, only the IT administrator has this privilege, any switch off is recorded in the audit trail’
Auditor: ‘Can the date and time function be accessed and changed?’
Me: ‘No, only IT can do this’
Auditor: ‘Can electronic data be deleted?’
Me: ‘Only by an Admin, and any deletion is recorded in audit trails’
Auditor: ‘Do you use generic user accounts?’
Me: ‘No, every user has a personal account, including service engineers’
Auditor: ‘How do new users gain access to the software?’
Me: ‘Access given to a training role/ Data Vault. The user must complete role specific training before being granted access to other roles and Data Vaults’
Any changes to both the SOP and Chromeleon CDS must be carried out using our change control procedure.
Do Your Administrators Understand the Importance of Data Integrity?
Moving top-level administrator privileges outside of the laboratory is highly recommended but the people given these responsibilities (typically in IT) must understand the importance of this and the impact of making any changes, no matter who asks! One important question to consider: Is your top level admin susceptible to someone asking ‘Can you just uncheck that box for a minute?’ or ‘Could you delete this sequence please?’
Sterling’s IT department has this responsibility along with a clear understanding of data integrity requirements — they are included in our annual GxP / data integrity training programs. This ensures that they will not act on any request regarding Chromeleon CDS or other lab data system without the appropriate documentation and authorization.
Access Controls: Who Can Do What?
If possible, I would say that the Chromeleon Administrator should not be involved in any laboratory analysis. This could be seen as a conflict of interest. If this cannot be avoided, I would definitely ensure that this person has an admin account and an analyst account and ‘changes hats’ to carry out the different roles. At Sterling we are in the fortunate position of having two main administrators, a member of the IT team and me in QA, and laboratory analysis is not in our job descriptions.
Chromeleon CDS provides a range of options to control the types of activities users can perform, by creating user roles, while restricting user’s access to relevant Data Vaults or folders. Below are some of the more than 180 privileges that can be selected for different user roles.
Do you have these documented and how you are using them?
Like what you are learning?
The Sterling SOP details which of these are activated for which role in a substantial matrix of roles and privileges. In the past I have had external auditors physically check on screens that these were correctly implemented in the CDS, so having this matrix was invaluable.
Obviously only user roles with administration privileges can make changes in the Chromeleon Administration Console. Any changes to these admin privileges are recorded in the Administration Console audit trails, and with the introduction of Privileged Actions in Chromeleon CDS 7.2 SR5, a comment and the authorized user’s password must be entered to affect any changes to admin settings or policies.
Privileged Actions are a powerful tool recently added in Chromeleon CDS and I briefly mentioned them in my previous blog post.t You can also read more about them in the following white paper:
All Words but No Action?
So far we have a procedure and good intentions but what evidence do we have that the CDS administration is actually being controlled? Now we must show that both the procedural and technical controls are being used and are effective. The Administration Console audit trails in Chromeleon 7 CDS are a great tool to help us in this endeavor.
To provide documented evidence that we are maintaining control of Chromeleon CDS and that there is no suspicious activity, we conduct a regular review of the Administration Console settings, user database audit trail and global policies audit trail. This is currently being done on an annual basis, but as we are updating the procedure, we plan to increase these to a quarterly review.
During this review we will:
- Generate and print an Admin Console report
- Check the user settings against the SOP and the previous review
- Reconcile any detected changes with documented change controls where applicable
- Check for any suspicious activity
- Check for deletions
What Counts As Suspicious?
But what if something was deleted and was it justified/authorized? What should be viewed as suspicious activity? Consider the following Chromeleon Administration audit trail:
The eagle-eyed among you will notice that I logged into two different Chromeleon Stations at 08:33:53 as Administrator and Analyst. You can similarly see I logged into the Chromeleon Administration Console at 08:34:13 to take the above screen shot. You can also see three logoffs from these sessions.
Once observed, you should ask if it is possible to log onto two clients simultaneously. In this case, yes. The computers are side by side and I could reach the keyboards of both. If these stations had been in different labs, different parts our site, or even in a different site or country then we could have a serious problem. The implication would be that more than one person has the logon credentials for this account. Therefore it is a good idea to have a location list or site map of your Chromeleon CDS computers.
Other things to look out for include:
- Multiple login failures and account lock ups: Is someone trying to gain access to an account?
- Out of hour’s logins: Should the user be on site? Were they actually on site? Use site access logs to confirm if possible.
- Incorrect role and access groups: Check against the users training, are they authorized to have the roles they are using?
Our quarterly system audit reports are not expected to be a granular, forensic review of all activities recorded since the last audit, but a review deep enough to gather evidence that our procedural and technical controls are and continue to be effective.
Outside of these reviews, we always encourage users to report any account problems; if they are continually locked out, do they have a bad memory or is someone trying to access their account?
You can read more about Chromeleon CDS technical controls in the following white paper.
To Delete or Not to Delete?
Hands up who gets a shiver down their spine at the mention of the word ‘Delete’? At some point somebody is probably going to need to delete something or are you just going to add another disk to your server room ad infinitum?
At Sterling we did a risk assessment and as a result I do have the privilege to delete certain items, but not the privilege to turn off the audit trails. I have in the past deleted report templates, processing methods, folders, or instrument methods that had been created in error and have been left to clog up the Data Vault. These deletions are justified and explained in the audit trial comments. I will, however, never delete any chromatographic data.
The key is to control who has delete privileges. Only your top level administrators should have the privilege to delete anything if it’s deemed necessary, but they must be aware the audit trails are recording all actions. All deletions appear in the audit trails and should be inspected during the quarterly system review and, since we are also checking the roles haven’t been changed, we can confirm the ability to delete hasn’t been temporally assigned to another role.
I highly recommend that procedural and technical controls are used and that everyone is educated on the need for the controls and the consequences of ignoring them. The controls should:
- Restrict user access and privileges using the Administration Console controls
- Record all the administrative settings in an SOP
- Document reviews of these settings on a quarterly basis to gather evidence of control
- Control what can be deleted and who can do it
Don’t forget your top level administrators — could they be a weak link? They must understand these procedures and controls. They must also be trained in the principals of GxP and data integrity. Chromeleon 7 CDS is a powerful tool but it is up to us to configure it and use it in a compliant way and to its fullest potential.
“In God we trust. All others must bring data.” – W.Edwards Deming, statistician, professor, author, lecturer, and consultant
Be prepared to bring data.