Case Study: A Pharmaceutical Manufacturer Secures GMP-Critical Systems

Executive Summary

A mid-size pharmaceutical manufacturer specializing in controlled substance formulations and specialty drugs received an FDA warning letter citing critical deficiencies in electronic records management for GMP-critical computerized systems. The core finding: shared credentials for remote access to batch control systems and clean room HVAC made it impossible to demonstrate individual accountability, a fundamental requirement of 21 CFR Part 11 and EU GMP Annex 11.

The company's OEM vendors, servicing bioreactors, lyophilizers, filling lines, and environmental monitoring systems, accessed production systems using shared TeamViewer and VPN accounts with no session logs, no individual identification, and no audit trail. The quality team could not answer the most basic regulatory question: who accessed what, when, and what did they do?

The company deployed the Xona Platform across all six manufacturing sites as a non-disruptive overlay requiring no changes to validated GMP systems. Within five months, the company passed its FDA re-inspection with zero observations related to remote access or electronic records. The result is zero direct network connectivity: users interact with OT systems in real time, but their endpoints are never connected to the OT network.

The Challenge

The company's batch control systems were accessed remotely by both internal process engineers and OEM vendors using shared accounts. A single 'admin' account with a static password was used by multiple individuals to connect via TeamViewer. When the FDA asked the company to demonstrate who had modified a specific batch parameter on a specific date, the quality team could not answer. The electronic audit trail showed that 'admin' had made the change, but 'admin' could have been any of 14 different people. This single finding was sufficient to trigger the warning letter.

OEM vendors for the company's bioreactors, lyophilizers, filling lines, and water-for-injection systems connected to production equipment using a variety of tools, none of which provided session recording. OEM vendors also routinely transferred files to and from production systems with no malware scanning, no approval workflow, and no audit trail.

The company operated six manufacturing sites, four in the United States and two in the European Union. Each site had evolved its own remote access practices independently, making it impossible to demonstrate a consistent, company-wide approach to electronic records management.

The company needed to act quickly: the FDA expected a corrective action response within 15 business days. Any solution that required changes to validated GMP systems would trigger a formal change control process requiring IQ, OQ, and PQ qualification for every affected system. Xona's overlay architecture was the decisive factor: zero changes to validated GMP systems. 

The Xona Solution

The company selected the Xona Platform specifically because of its overlay architecture. Xona sits between users and GMP-critical systems without modifying, touching, or integrating into the validated systems themselves. The validated state of batch control systems, HVAC controllers, environmental monitoring systems, and other GMP-critical equipment is entirely unaffected by the deployment.

Xona's credential injection capability was the direct answer to the FDA's core finding. Privileged credentials for GMP-critical systems are stored in Xona's encrypted vault. When a user authenticates to Xona via SAML-based SSO with MFA, the gateway injects the appropriate system credentials on their behalf. The user never sees, handles, or knows the password for the target system. Every access event is tied to a named individual, satisfying 21 CFR Part 11's individual accountability requirement.

Every remote access session is recorded in full-fidelity video with timestamps, keystroke logging, and mouse action capture. All file transfers through the Xona gateway follow a moderated workflow: files are quarantined, scanned for malware via ICAP antivirus scanning, and held for explicit approval before being delivered to the target system. Session logs and access records are cryptographically signed, providing non-repudiation.
Total elapsed time from first deployment to full enterprise coverage: 14 weeks. Total disruption to validated GMP systems: zero.

The Results:

The company passed its FDA re-inspection with zero observations related to remote access, electronic records, or individual accountability, a complete resolution of the warning letter findings. EU competent authority inspections at both European sites confirmed compliance with Annex 11 requirements. The quality team can now respond to any regulatory inquiry about system access within minutes.

OEM vendor access provisioning time was reduced by 75%, from an average of 3.5 hours involving VPN configuration, credential sharing, and manual documentation, to under 50 minutes including JIT approval, session initiation, and automated documentation. Automated session documentation saves approximately 120 hours per month in manual record-keeping across the six sites. Moderated file transfer with malware scanning intercepted two files flagged by automated scanning during the first six months of operation.