Warning Letter: Failure to confirm CAPA actions (ucm552687)

Your firm failed to follow its CAPA procedures when evaluating a third party report, dated August 25, 2016, in that your firm released Merlin@home Cybersecurity Risk Assessment [redacted], Revision G, an updated risk assessment and its corresponding corrective action, Merlin@home EX2000 v.8.2.2, (pilot release on December 7, 2016 with full release on January 9, 2017), before approving the CAPA request for this issue, CAPA#17012 Titled: CRM Product Cybersecurity, on February 7, 2017.  Your firm conducted a risk assessment and a corrective action outside of your CAPA system.  Your firm did not confirm all required corrective and preventive actions were completed, including a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your CAPA procedures.  Additionally, your firm did not confirm that verification or validation activities for the corrective actions had been completed, to ensure the corrective actions were effective and did not adversely affect the finished device…

Failure to ensure that design verification shall confirm that the design output meets the design input requirements, as required by 21 CFR 820.30(f).  For example: Your firm has a design input, [redacted], of “the Remote Monitoring device shall only open network ports to authorized interfaces” which is documented in Merlin@home EX2000 [redacted] Software System Requirements Specification, Document [redacted].  This is implemented as a design output in your firm’s Merlin@home Software Requirements Specification Uploads [redacted].

This design output was not fully verified during your firm’s design verification activities.  According to your firm’s testing procedures, [redacted], Final Configuration Test Procedures, [redacted] and Final Configuration Test Procedures Document [redacted],  the requirement was only partially verified by testing that the network ports opened with an authorized interface.  Your testing procedures did not require full verification to ensure the network ports would not open with an unauthorized interface…

Failure to ensure that design validation shall include risk analysis, where appropriate, as required by 21 CFR 820.30(g).  For example:

a. Your firm failed to accurately incorporate the findings of a third-party assessment you commissioned, dated April 2, 2014, into your firm’s updated cybersecurity risk assessments for your high voltage and peripheral devices.  Specifically:

1. Your firm’s updated Cybersecurity Risk Assessments, [redacted] Cybersecurity Risk Assessment, [redacted], Revision A, April 2, 2015 and Merlin@home Product Security Risk Assessment, [redacted], Revision B, May 21, 2014 failed to accurately incorporate the third party report’s findings into its security risk ratings, causing your post-mitigation risk estimations to be acceptable, when, according to the report, several risks were not adequately controlled.

2. The same report identified the hardcoded universal unlock code as an exploitable hazard for your firm’s High Voltage devices.  Your firm’s Global Risk Management Procedure, SOP [redacted], Section 5.3.3 of Revision T, Released November 2, 2012, and Section 5.1.3 of Revision X, Released November 8, 2016, requires your firm to assess if new hazards are introduced, or previously identified hazardous situations are affected, by risk control measures.  Your firm identified the hardcoded universal unlock code as a risk control measure for emergent communication.  However, you failed to identify this risk control also as a hazard.  Therefore, you failed to properly estimate and evaluate the risk associated with the hardcoded universal lock code in the design of your High Voltage devices.

View the original warning letter.