“Failure to adequately validate software used as part of production and quality systems for its intended use according to an established protocol as required by 21 CFR 820.70(i). Specifically, you did not validate your CNC Lathe and MAS 90 software used in manufacturing and labeling, respectively.”
View the original warning letter.
1. Failure to establish and maintain adequate procedures for implementing corrective and preventive actions, as required by 21 CFR 820.100(a). Specifically, Your procedures addressing corrective and preventive actions, “Procedures for Corrective and Preventive Action”, PCPA-00, dated10/5/10 and “Measurement and Analysis” procedure, MA-00, dated 10/5/10, are not adequate in that: a) Your procedures do not address:
1. How and how often each data source will be analyzed to identify existing and potential causes of nonconforming product.
2. Initiating a corrective and preventive action commensurate with the significance and risk of the nonconformity.
3. Verifying and validating corrective and preventive actions to ensure such action is effective and does not adversely affect the finished device.
4. Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems.
…
5. Failure to establish and maintain procedure for identification, documentation, validation or where appropriate verification, review and approval of design changes before their implementation, as required by 21 CFR 820.30(i). For example, a sticky note on the “Chaps” instructions sheet stating “No Longer Need F Velcro Lengths” is the only documentation for the change to receive the elastic with the Velcro already sown onto it. This design change did not go through your formal change control as required by “Change Control” procedure, CC-00, dated 10/5/10.
View the original warning letter.
“Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).
Specifically, your high performance liquid chromatography (HPLC) and gas chromatography (GC) data acquisition software, TotalChrom®, did not have sufficient controls to prevent the deletion or alteration of raw data files. During the inspection, the investigator observed that the server that maintains electronic raw data for HPLC and GC analyses (the J drive) contains a folder named “Test,” and that chromatographic methods, sequences, and injection data saved into this folder can be deleted by analysts. The investigator also found that data files initially created and stored in the “Test” folder had been deleted, and that back-up files are overwritten [redacted].
In addition, because no audit trail function was enabled for the “Test” folder, your firm was unable to verify what types of injections were made, who made them, or the date or time of deletion. The use of audit trails for computerized analytical instrumentation is essential to ensure the integrity and reliability of the electronic data generated.”
View the original warning letter.
“a. You did not retain complete raw data from testing performed to ensure the quality of your APIs. For example, your firm could not provide electronic raw data supporting your High Pressure Liquid Chromatography (HPLC) testing in your Validation Report BP-VR-0701/2010.
b. You failed to retain complete raw data documenting the weights and calculations used in method validation as specified in your standard operating procedure (SOP) “Recording of Raw Data.”
c. Your analyst selectively invalidated data during related substance testing. For example, for [redacted], batch [redacted] on May 15, 2013; you did not retain data from all six injections used for the initial system suitability. Your analyst discarded one of the six injections performed with no justification.
3. Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data.
The inadequate controls over access to your data raise questions about the authenticity and reliability of your data and the quality of the APIs you produce. Specifically,
a. Your firm did not have proper controls in place to prevent the unauthorized manipulation of your laboratory’s raw electronic data. Your HPLC computer software lacked active audit trail functions to record changes to analytical methods, including information on original methodology, the identity of the person making the change, and the date of the change. In addition, your laboratory systems did not have access controls to prevent deletion or alteration of raw data. During the inspection, your analysts demonstrated that they were given inappropriate user permissions to delete HPLC data files.
b. Moreover, the gas chromatograph (GC) computer software lacked password protection allowing uncontrolled full access to all employees.”
View the original warning letter.
Your firm released [redacted] API batch [redacted] with an unknown peak present in the residual solvents chromatogram. Although this unknown peak was not a part of your historical impurity data, neither the analyst nor the supervisor apparently noticed or evaluated this unknown peak during their reviews.
Subsequently, a customer complaint was received for this batch, and your investigation identified the unknown peak as [redacted]. Your firm found that this peak was a result of a contamination that occurred during your manufacturing process.
In response to this letter, provide the corrective actions implemented to ensure that all laboratory data is appropriately analyzed, accurately reported and approved by your quality unit.
Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data.
Your firm did not have proper controls in place to prevent the unauthorized manipulation of your electronic raw data. For example,
a. The inspection found that the audit trail feature for your gas chromatography (GC) instruments was not used until October 2013, even though your 2009 GC software validation included a satisfactory evaluation of the audit trail capability.
b. There is no assurance that you maintain complete electronic raw data for the [redacted] GC instruments, the Malvern particle size analyzer, and the ultraviolet (UV) spectrophotometer. Our inspection found that these instruments were connected to stand-alone computers that stored the data and that the data could be deleted.
c. Prior to our inspection, your firm failed to have a back-up system for the data generated by one of the [redacted] Fourier transform infrared spectrometers, the polarimeter, the UV spectrophotometer and the Malvern particle size analyzer.
View the original warning letter.
“Your software development / validation does not include written procedures, structural and regression testing, and code reviews.
a. Your software development /validation:
….
c. The available clinical studies documentation for the following Evolution Oxygen Conservers:
View the original warning letter.
“Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).
QC personnel created unauthorized folders on laboratory computerized systems without appropriate oversight. Our review of the HPLC Empower III data collected in 2013-2014 in the commercial QC laboratory found a data folder entitled “WASH.” According to your management, the folder was intended for column wash injections using blank solvent prior to and following sample runs, although you have no standard operating procedure (SOP) detailing this process. One of your laboratory analysts stated that this folder does not contain any standard or sample injection results. However, our investigator found that this folder contained a total of 3,353 injection results, some of which appeared to be samples.
As part of your comprehensive evaluation and risk assessment, include a detailed description of all computerized systems in your facility used for testing drugs. This description should include information on each electronic folder that was not created pursuant to a valid SOP and an assessment of every file in each such folder, including information about the sample (product), date of test, lot number and original test result over the last five (5) years, except for data relating to exhibit batches, in which case there is no time limitation. Also provide specific information about all retests during these time frames, where an initial out-of-specification or out-of-trend result was disregarded without an investigation and the date on which you became aware such information had been disregarded. In addition, for each batch, provide the number of injections performed and chromatograms reviewed, and of those, the number that were used to generate a reported result. Furthermore, provide an updated assessment on the possible effects of your firm’s practices on the quality, safety, and efficacy of the drugs you manufacture or plan to manufacture, including drugs covered by approved or pending applications.
Also describe the procedures established to manage and retain all computerized data.
View the original warning letter.
“The trial injection data was stored in the “Trial” folder located on a PC with no audit trail linked to the HPLC instrument…
The audit trail for the dissolution analysis of the 9-month long-term stability sample of [redacted] USP [redacted] mg Tablets batch [redacted] conducted on March 22, 2014, showed a single manual injection that was not included in the official test results package. A manual “trial” sample injection from vial position [redacted] at 12:29 pm was injected between the Set [redacted] and Set [redacted] analytical sequences. No deviation was documented regarding the extra sample injection. In addition, the original injection data obtained for vial position [redacted] was overwritten and not saved. Because the original data was overwritten, you did not review and evaluate it as part of your batch release decision…
Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).
FDA investigators discovered a lack of basic laboratory controls to prevent changes to electronically stored data. The following examples show that you lack effective control of the integrity of instrument output data:
The ten Shimadzu HPLC instruments in the QC “commercial” laboratory were configured to send acquired injection data to PCs without audit trails.
There was a lack of controls to prevent substitution or overwriting of data. The [redacted] audit trail dated January 6, 2014, for HPLC MLG/QC/12/026 and the [redacted] audit trail dated January 15, 2014, for HPLCs MLG/QC/12/031 and MLG/QC/12/027 each showed sample injections marked with the same small graphic symbol. For each of these entries, you replaced the original injection sequence data with data from a single manual injection and failed to save the original sequence data.
A “File Note” dated February 10, 2014, signed by the QC Head, established that the printed data used for batch disposition decisions from the Metrohm Titrando Instrument MLG/QC/12/048 hard drive was not necessarily the complete data for a batch. Our inspection found that data on the instrument was selected for use and was not protected from change and deletion. Notably, the audit trail capability of this QC “commercial” laboratory instrument was not enabled, even after creation of the “File Note.”
View the original warning letter.
“Software used as part of production and the quality system has not been validated for its intended use according to an established protocol, as required by 21 CFR 820.70(i). Specifically, software validation was not conducted for the following pieces of equipment: [Redacted]”
Automated Production Equipment
Quality Inspection Equipment
[redacted]
[redacted]
[redacted]
[redacted].”
View the original warning letter
“A device master record has not been adequately maintained, as required by 21 CFR 820. 181. For example, specifications for the various components of the device were not maintained; software specifications were not maintained; production process specifications and procedures were not maintained; quality assurance procedures and acceptance criteria were not maintained; packaging and labeling specifications were not maintained; and installation, maintenance and servicing procedures and methods were not maintained.
View the original warning letter .