Your firm has not established procedures that define how cases originally categorized as customer support requests are uniformly entered by employees into your firm’s electronic [redacted] system and uniformly evaluated to ensure the information will be accurately processed into the [redacted], if the support request case is subsequently determined to constitute a complaint for which an investigation may be necessary. For example, during the inspection, your firm’s Director of Quality Assurance and Regulatory Affairs explained that your firm had been unable to determine how to convert a customer support request into a customer complaint in the [redacted] system.
In your response, you attributed these APR errors to personnel using the previous year’s APR as a template. You revised your procedures to include a blank template. You also stated that “all the error was transcription error and review error by all managers of concerned departments.” You indicated that you would avoid such errors in the future by using enterprise resource planning to compile QMS data online.
Your response is inadequate. You did not explain how your use of an enterprise resource planning system will prevent APR errors in the future.
For example, your internal quality audit procedure, P715 “Internal Quality audits” (multiple version reviewed) is inadequate as the procedure allows your firm to utilize your customer audits conducted at your firm’s facility instead of your firm conducting its own internal audits at all times. It was noted during the review of your firm’s internal audit plans from 2012 – 2016, that instead of your firm conducting internal audits of all areas mentioned in your plans you counted the external audits conducted during this time frames as your “internal audit” of those areas… Additionally, in 2016, procedure P81 Software Validation for software used in processes was audited by [redacted]. However, your firm’s procedure does not explain how customer audits substitute your firm’s internal audits to ensure that the external customer audit will focus on the quality system being in compliance with the established quality system requirements…
Failure to submit any report required within 10‐working days of initiating a correction or removal, as required by 21 CFR Part 806.10. For example, your firm failed to report the following corrections or removals to FDA: a) field correction involving the replacement of a power supply related to REV7 of power supply 3359‐048 initiated March 22, 2012, and b) field correction involving software update (V1.2.5) for V‐Twin Analyzer with bar Code Reader Initiated February 1, 2016.
1. Failure to prevent unauthorized access or changes to data, and failure to provide adequate controls to prevent omission of data.
Our inspection found your laboratory systems lacked controls to prevent deletion of and alterations to electronic raw data.
a. Our review of audit trail data revealed that your analysts manipulated the date/time settings on your high performance liquid chromatography (HPLC) systems. During the inspection your analysts admitted to setting the clock back and repeating analyses for undocumented reasons. Initial sample results were overwritten or deleted, and unavailable for our investigators’ review. Your firm reported only the passing results from repeat analyses. When test results are overwritten, the quality unit is presented with incomplete and inaccurate information about the quality of the drugs produced by your firm.
b. Your quality control analysts used a shared login account to access HPLC systems. This shared account allowed analysts, without traceability, to change the date/time settings of the computer, to modify file names, and to delete original HPLC data.
c. Seven out of [redacted] of your firm’s HPLC systems used for API testing had the audit trail feature disabled, although all [redacted] had audit trail functionality.
In your response, you acknowledged that you lacked effective measures to control data within your computerized systems. You committed to revising procedures for computerized systems, locking date/time settings, and enabling audit trail functions. However, you noted that you do not expect audit trail functions for all quality control instruments to be completely activated until September 30, 2017. In the interim, you committed to control measures, including updated software and logbooks.
Your response is insufficient because it did not specify who holds administrative privileges on your computers, or address the significant pattern of data manipulation (e.g., deletions, date/time alterations) we observed at your facility.
In response to this letter:
Clarify the specific user roles and detail the associated privileges for each laboratory system.
Provide an assessment of the effectiveness of your interim system controls.
Provide a commitment to conduct a similar future assessment of the effectiveness of all system controls expected to be in place by September 2017.
Explain the oversight role of the quality unit in implementing these improvements and ensuring they remain effective.
2. Failure to maintain complete data derived from all laboratory tests conducted to ensure compliance with established specifications and standards.
Our investigators found that you failed to maintain complete data for all laboratory analyses, and you relied on incomplete information to determine whether your drugs met established specifications.
a. HPLC chromatograms were deleted and not available for our investigators’ review. In your response, you acknowledged that in January 2016, “some data was deleted” while the network edition of the chromatographic operating system software was installed.
b. Our investigators found a recurring practice of re-testing samples until acceptable results were obtained. For example, our investigators found repeat HPLC testing for related substances of crude [redacted], batch [redacted]. The initial test displayed an unknown peak in the chromatogram. A different analyst retested the batch five days later: this analysis did not display the unknown peak. Only the results of the second analysis were used for batch disposition, without documented justification or investigation.
Your response is inadequate because you did not include an assessment of the deleted data. Your response also lacked commitments to investigate the unknown peak in the chromatogram for crude [redacted] batch [redacted], and to discontinue repeating tests without justification and investigation.
3. Failure of your quality unit to exercise its responsibility to ensure the API manufactured at your facility are in compliance with CGMP, and meet established specifications for quality and purity.
Our investigators found batch production records that contained blank or partially completed manufacturing data and lacked dates and signatures for verification. For example, in your [redacted] plant, our investigators found a batch record for [redacted] starting material, batch [redacted], with sticky notes from the quality assurance department directing operators to enter manufacturing data, such as missing weight and volume entries. Also, your quality unit did not approve this batch record before the material was used in further manufacturing.
All data in CGMP records must be complete and reliable so it can be evaluated by the quality unit during its batch review, as well as maintained for additional CGMP purposes.
Other documents—including cleaning records and equipment use logs—were also found to be partially completed, without dates and signatures for verification, or with pages or spaces intentionally left blank for documentation at a later time.
Your quality unit was aware of these unacceptable production department practices but did not ensure they were corrected.
Your firm does not exercise appropriate controls over computer related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel [21 C.F.R. 211.68(b)]. For example:
A. Your “Processed By” dates and times listed on printed chromatograms do not always show the same “Processed By” dates and times listed on the system chromatograms.
B. Your data in the audit trails does not always show the same data listed on your printed chromatograms.
Your response states you have not observed any test result data discrepancies between your printed versions of the test results. However, this does not address adequate electronic data controls to prevent inconsistencies between the printed and electronic data. Your responses for 2A and 2B above are not adequate in that your firm did not provide any corrective action addressing the assessment of all relevant data in the audit trails.
C. Your firm enters data into [redacted] files to complete plate assay calculations but they are not locked from editing once the file has been reviewed.
Your response fails to include any corrective action to ensure that there is no further access or ability to save over test results in [redacted] spreadsheets once reviewed and approved.
D. Your firm did not give unique sample set names to different sequences of samples run on different instruments on the same day.
Your response is not adequate. Your firm did not address the concern of the possibility of sample sets with the same name overwriting each other during the data backup process…
Your procedure is to then enter the raw data into document number MIC-0066-13-01 titled “[redacted]”, Attachment 1. On the completed form, the [redacted] test results for the [redacted] zones were not the same as observed by our Investigator; the range was 11.4 to 15.1. Your firm used an Excel spreadsheet to calculate the potencies of Tri-Otic Ointment lots H610 and H6514 as [redacted] and [redacted], respectively.
Your response does not provide documentation of the January 26, 2017 handwritten zone diameter results for Tri-Otic Ointment (Lots H6510 and H6514), which you allege differ from our investigators’ direct observation. We note your response acknowledges that you should have provided our Investigator a copy of the handwritten zone diameter results. You have not subsequently verified complete raw data was maintained.
Our investigators observed that the software you use to conduct high performance liquid chromatography (HPLC) analyses of API for unknown impurities is configured to permit extensive use of the “inhibit integration” function without scientific justification. For example, our investigator reviewed the integration parameters you used for HPLC identification of impurities in release testing for [redacted]. These parameters demonstrated that your software was set to inhibit peak integration at four different time periods throughout the analysis. Similarly, in the impurities release testing you performed for [redacted], your HPLC parameters were set to inhibit integration at four different time periods throughout the analysis.
Inhibiting integration at various points during release testing for commercial batches is not scientifically justified. It can mask identification and quantitation of impurities in your API, which may result in releasing API that do not conform to specifications.
2. Failure to prevent unauthorized access or changes to data and failure to provide adequate controls to prevent manipulation and omission of data.
During the inspection, our investigators discovered a lack of basic laboratory controls to prevent changes to and deletions from your firm’s electronically-stored data in laboratories where you conduct CGMP activities. Specifically, audit trail functionality for some systems you used to conduct CGMP operations was enabled only the day before the inspection, and there were no quality unit procedures in place to review and evaluate the audit trail data. For example, you used standalone HPLC (2-RD HP/SM/32) to conduct analyses for Drug Master File (DMF) submissions and investigations, such as characterization of a starting material for your [redacted] DMF. You also used uncontrolled systems to conduct out-of-specification (OOS) investigations for in-process materials used to manufacture [redacted] API.
3. Limiting access to or copying of records
Your firm limited access to or copying of records that our investigators were entitled to inspect. For example, our investigators requested records of your audit trail data from all chromatographic systems used to test drugs for the U.S. market at your facility. The files you ultimately provided (in the form of Excel spreadsheets rather than direct exports from your chromatographic software) were not the original records or true copies, and showed signs of manipulation. The records you did provide contained highlighting, used inconsistent date formats, and lacked timestamp data; these features are inconsistent with original data directly exported from chromatographic testing software.
Our investigators and their supervisor explained at least twice that the data you provided was not representative of actual audit trail data from the chromatographic systems, and requested that you provide the original, unmodified records. Your firm stated, without reasonable explanation, that you could not provide the requested audit trail records. When our investigators explained that your failure to provide the requested records would be documented as a refusal, you acknowledged the refusal.
Our investigators documented other instances in which your firm limited the inspection by providing some, but not all, of the records requested by the FDA investigator that FDA had authority to inspect. At multiple times during the inspection, FDA requested records of CGMP activities performed in your R&D laboratories at the behest of your quality unit. However, you limited the inspection by providing only a subset of the requested records, and our investigators also found at least one of the requested records shredded in the trash. Finally, our investigators requested chromatograms to substantiate your claim that you had identified and quantitated the impurities in [redacted], but you never provided the records that our investigators asked for to support your claim.
When an owner, operator, or agent delays, denies, limits, or refuses an inspection, the drugs may be deemed adulterated under section 501(j) of the FD&C Act.
Your firm failed to follow its CAPA procedures when evaluating a third party report, dated August 25, 2016, in that your firm released Merlin@home Cybersecurity Risk Assessment [redacted], Revision G, an updated risk assessment and its corresponding corrective action, Merlin@home EX2000 v.8.2.2, (pilot release on December 7, 2016 with full release on January 9, 2017), before approving the CAPA request for this issue, CAPA#17012 Titled: CRM Product Cybersecurity, on February 7, 2017. Your firm conducted a risk assessment and a corrective action outside of your CAPA system. Your firm did not confirm all required corrective and preventive actions were completed, including a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your CAPA procedures. Additionally, your firm did not confirm that verification or validation activities for the corrective actions had been completed, to ensure the corrective actions were effective and did not adversely affect the finished device…
Failure to ensure that design verification shall confirm that the design output meets the design input requirements, as required by 21 CFR 820.30(f). For example: Your firm has a design input, [redacted], of “the Remote Monitoring device shall only open network ports to authorized interfaces” which is documented in Merlin@home EX2000 [redacted]Software System Requirements Specification, Document [redacted]. This is implemented as a design output in your firm’s Merlin@home Software Requirements Specification Uploads [redacted].
This design output was not fully verified during your firm’s design verification activities. According to your firm’s testing procedures, [redacted], Final Configuration Test Procedures, [redacted] and Final Configuration Test Procedures Document [redacted], the requirement was only partially verified by testing that the network ports opened with an authorized interface. Your testing procedures did not require full verification to ensure the network ports would not open with an unauthorized interface…
Failure to ensure that design validation shall include risk analysis, where appropriate, as required by 21 CFR 820.30(g). For example:
a. Your firm failed to accurately incorporate the findings of a third-party assessment you commissioned, dated April 2, 2014, into your firm’s updated cybersecurity risk assessments for your high voltage and peripheral devices. Specifically:
1. Your firm’s updated Cybersecurity Risk Assessments, [redacted]Cybersecurity Risk Assessment, [redacted], Revision A, April 2, 2015 and Merlin@home Product Security Risk Assessment, [redacted], Revision B, May 21, 2014 failed to accurately incorporate the third party report’s findings into its security risk ratings, causing your post-mitigation risk estimations to be acceptable, when, according to the report, several risks were not adequately controlled.
2. The same report identified the hardcoded universal unlock code as an exploitable hazard for your firm’s High Voltage devices. Your firm’s Global Risk Management Procedure, SOP [redacted], Section 5.3.3 of Revision T, Released November 2, 2012, and Section 5.1.3 of Revision X, Released November 8, 2016, requires your firm to assess if new hazards are introduced, or previously identified hazardous situations are affected, by risk control measures. Your firm identified the hardcoded universal unlock code as a risk control measure for emergent communication. However, you failed to identify this risk control also as a hazard. Therefore, you failed to properly estimate and evaluate the risk associated with the hardcoded universal lock code in the design of your High Voltage devices.
Your quality unit failed to monitor and investigate error signals generated by the computerized systems that you use for high performance liquid chromatography and gas chromatography. These signals indicated the loss or deletion of original CGMP analytical data. However, your quality unit did not comprehensively address the error signals or determine the scope or impact of lost or deleted data until after these problems were reviewed during our inspection.
For example, our investigator reviewed audit trails from August 2016 assay testing on [redacted] batch [redacted] and dissolution testing for [redacted] tablets batch [redacted]. The audit trail for these tests included the message, “deleted result set,” but neither of these two incidents were recorded in the analytical packages for these batches of drug products, nor were they reviewed or investigated by the quality unit.
In addition, during the inspection, our investigator observed that your Empower 3 system audit trail displayed many instances of a “Project Integrity Failed” message, which indicates that injections were missing from the results of analytical testing. For example, in [redacted] analysis for [redacted] tablets batch [redacted] conducted on June 20, 2016, no chromatogram was rendered for the initial run of testing. The data package for this testing clearly shows that the initial run is missing, but your quality unit did not investigate the incident.
Although you showed our investigator isolated examples of interrupted, missing, deleted, and lost data for which you had opened investigations, you reached similar conclusions in many of these investigations regarding the root cause of your loss of data integrity but failed to take appropriate corrective action and preventive action in response. Our investigator observed that you attributed numerous incidents to power interruptions, connectivity problems (disconnection of the Ethernet or power cord), and instrument malfunctions. You could not explain why these events occurred with frequency in your laboratory, nor had you undertaken a comprehensive investigation into the problem or sought to correct it and prevent its recurrence.
In your written response dated February 17, 2017, you identified seven samples from a single week of testing for which original results were lost following data acquisition interruptions at the time of initial analysis. Instead of uniformly initiating an investigation into the root cause of each interruption when it occurred or even documenting it for later review and investigation by the quality unit, you explained in your response that you retested the samples immediately after the interruptions.
Your response is inadequate because you have not identified and investigated each instance in which data acquisition was interrupted. While you assessed a limited number of error codes from a seven day period, you did not evaluate the effects of other error codes identified in your simulation exercise report on the reliability, accuracy, or completeness of the data you use to evaluate the quality of your drugs. Although you have submitted multiple responses, you have not yet:
shown exactly how widespread these problems are;
evaluated their full effects on the quality of your drugs;
explained why these events occurred with frequency in your laboratory;
or demonstrated how you will ensure that your quality unit reviews, investigates, and acts upon codes that affect the reliability of your CGMP data.
In response to this letter, provide your validation of laboratory instrument error codes. Identify the specific codes that may impact product quality and the reliability of CGMP data, and provide your procedures to demonstrate how your quality unit will review, investigate, and respond to these specific codes.
Our investigators observed that information technology (IT) staff at your facility share usernames and passwords to access your electronic storage system for [redacted] data. Your IT staff can delete or change directories and files without identifying individuals making changes. After a previous inspection in which FDA observed similar deficiencies, you committed to eliminate these and other data integrity vulnerabilities.
In response to this letter:
Provide your detailed plan to ensure that each current and future employee will have a unique username and password to allow tractability of changes to electronic data back to specific authorized personnel.
Describe the specific changes made to your software and electronic systems to ensure the effectiveness of your corrective actions.
Your quality control laboratory disregarded multiple out-of-specification (OOS) impurity results without justification. For example, on September 22, 2015, you encountered an OOS unknown impurity peak during high performance liquid chromatography (HPLC) testing of [redacted] 36-month stability batch [redacted]. You terminated the analysis. Testing of a new sample also showed the OOS impurity peak. The chromatogram was then manually rescaled, which hid the presence of this peak. Your laboratory set the integration parameters to omit this peak from integration. Because the peak was omitted, the quality unit was not provided with full information to evaluate whether the stability batch, and potentially other marketed batches, continued to meet quality standards.
In addition, your audit trail showed that from July 1 to 2, 2015, you performed seven sample injections of [redacted] 60-month stability batch [redacted]to test for impurities using HPLC. You permanently deleted the first five sample injections. You then renamed the last two injections and reported that they met specifications. Your quality unit failed to identify and address these serious data manipulations…
Our investigator observed that your laboratory systems lacked controls to prevent your staff from altering or deleting electronic data. Analysts manipulated and deleted audit trails. You lacked adequate controls for all HPLC, gas chromatography, and ultra-violet systems.
For example, an analyst deleted audit trails in your gas chromatography equipment #YQ-07-10 from September 15, 2015, through April 24, 2016, and permanently deleted audit trails from November 6 to 13, 2015. In addition, our investigator observed that your quality control manager and quality control deputy manager had full administrative rights on all of your computerized systems, which allows them to manipulate data and turn off audit trails.
