audit trail

Page 2 of 212

Warning Letter: Inadequate audit trails and password protection (ucm436268)

Tags: | |

“a. You did not retain complete raw data from testing performed to ensure the quality of your APIs. For example, your firm could not provide electronic raw data supporting your High Pressure Liquid Chromatography (HPLC) testing in your Validation Report BP-VR-0701/2010.

b. You failed to retain complete raw data documenting the weights and calculations used in method validation as specified in your standard operating procedure (SOP) “Recording of Raw Data.”

c. Your analyst selectively invalidated data during related substance testing. For example, for [redacted], batch [redacted] on May 15, 2013; you did not retain data from all six injections used for the initial system suitability. Your analyst discarded one of the six injections performed with no justification.

3. Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data.

The inadequate controls over access to your data raise questions about the authenticity and reliability of your data and the quality of the APIs you produce. Specifically,

a. Your firm did not have proper controls in place to prevent the unauthorized manipulation of your laboratory’s raw electronic data. Your HPLC computer software lacked active audit trail functions to record changes to analytical methods, including information on original methodology, the identity of the person making the change, and the date of the change. In addition, your laboratory systems did not have access controls to prevent deletion or alteration of raw data. During the inspection, your analysts demonstrated that they were given inappropriate user permissions to delete HPLC data files.

b. Moreover, the gas chromatograph (GC) computer software lacked password protection allowing uncontrolled full access to all employees.”

View the original warning letter.

Warning Letter: Lack of controls, such as audit trails, to prevent substitution, overwriting, or changes of electronically stored data (ucm431456)

Tags: | |

“The trial injection data was stored in the “Trial” folder located on a PC with no audit trail linked to the HPLC instrument…

The audit trail for the dissolution analysis of the 9-month long-term stability sample of [redacted] USP [redacted] mg Tablets batch [redacted] conducted on March 22, 2014, showed a single manual injection that was not included in the official test results package. A manual “trial” sample injection from vial position [redacted] at 12:29 pm was injected between the Set [redacted] and Set [redacted] analytical sequences. No deviation was documented regarding the extra sample injection. In addition, the original injection data obtained for vial position [redacted] was overwritten and not saved. Because the original data was overwritten, you did not review and evaluate it as part of your batch release decision…

Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).

FDA investigators discovered a lack of basic laboratory controls to prevent changes to electronically stored data. The following examples show that you lack effective control of the integrity of instrument output data:
The ten Shimadzu HPLC instruments in the QC “commercial” laboratory were configured to send acquired injection data to PCs without audit trails.

There was a lack of controls to prevent substitution or overwriting of data. The [redacted] audit trail dated January 6, 2014, for HPLC MLG/QC/12/026 and the [redacted] audit trail dated January 15, 2014, for HPLCs MLG/QC/12/031 and MLG/QC/12/027 each showed sample injections marked with the same small graphic symbol. For each of these entries, you replaced the original injection sequence data with data from a single manual injection and failed to save the original sequence data.

A “File Note” dated February 10, 2014, signed by the QC Head, established that the printed data used for batch disposition decisions from the Metrohm Titrando Instrument MLG/QC/12/048 hard drive was not necessarily the complete data for a batch. Our inspection found that data on the instrument was selected for use and was not protected from change and deletion. Notably, the audit trail capability of this QC “commercial” laboratory instrument was not enabled, even after creation of the “File Note.”

View the original warning letter.

Page 2 of 212