Failure to establish and maintain adequate procedures for the identification, documentation, validation, or where appropriate verification, review, and approval of design changes before their implementation, as required by 21 CFR 820.30(i). For example: your firm has not validated or documented software changes for the Omega XP Laser System; Omega XP-Clinic Laser System; and Omega Excel Laser System.
View the original warning letter.
Failure to ensure that when computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol, as required by 21 CFR 820.70(i). For example, your firm has not validated the software, [redacted], used to manage various activities such as complaints, CAPAs, repairs, servicing, internal and external audits, and warranty service. Your firm has been utilizing this software since January 2011
View the original warning letter.
“Your firm failed to establish appropriate controls over computers and related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel (21 CFR 211. 68(b)).
You lacked audit trails or other sufficient controls to facilitate traceability of the individuals who access each of the programmable logic controller (PLC) levels or Man-Machine Interface (MMI) equipment. You had no way to verify that individuals have not changed, adjusted, or modified equipment operation parameters.”
View the original warning letter.
“Failure to adequately establish procedures for design validation, as required by 21 CFR 820.30(g). Specifically, QS-57532 (Rev. 2.0, “WI-Customer Validation Process”) allows for devices that have not yet fully completed design validation, including software validation, to be shipped to end users for clinical use on patients in a “Limited Availability” basis for the purpose of collecting additional feedback prior to the completion of design validation activities. Further, the Merge HEMO V10.0 was shipped to [redacted] end users for clinical use in cardiac catheterization procedure labs as part of the firm’s design validation plan as a “Limited Availability” release; these devices had not been fully validated. Additionally, document number HEMO-6830 (Rev. 1.0, “Customer Validation Plan Merge Hemo 10.0) describes the customer validation process conducted at the two end user facilities during the “Pre-Release/Limited Availability” release timelines where it is indicated the software will be used in a “production environment,” i.e. for patient use….”
View the original warning letter.
“2. Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data.
Your laboratory systems lacked access controls to prevent raw data from being deleted or altered. For example:
a. During the inspection, we noted that you had no unique usernames, passwords, or user access levelsfor analysts on multiple laboratory systems. All laboratory employees were granted full privileges to the computer systems. They could delete or alter chromatograms, methods, integration parameters, and data acquisition date and time stamps. You used data generated by these unprotected and uncontrolled systems to evaluate API quality.
b. Multiple instruments had no audit trail functions to record data changes.
…
3. Failure to maintain complete data derived from all testing, and to ensure compliance with established specifications and standards.
Because you discarded necessary chromatographic information such as integration parameters and injection sequences from test records, you relied on incomplete records to evaluate the quality of your APIs and to determine whether your APIs conformed with established specifications and standards. For example:
a. During the inspection, the investigator found no procedures for manual integration or review of electronic and printed analytical data for [redacted] stability samples. Electronic integration parameters were not saved or recorded manually. When the next samples were analyzed, the previous parameters were overwritten during the subsequent analyses.
…
i. Your HPLC 14 computer files included raw data for undocumented [redacted] stability samples analyzed on December 30, 2013, but no indication of where these samples came from and why they were tested.
ii. In a data file folder created on May 22, 2013, 23 chromatograms were identified as stability samples for [redacted] lots [redacted], and [redacted]. Results were not documented. More importantly, the acquisition date was July 7, 2013, more than six weeks after the samples were run.
iii. (b)(4) lots (b)(4) and (b)(4) were not in your stability study records at the time of inspection. Additionally, there were no log notes of any samples from the three lots removed from the stability chamber.
…
In response to this letter, provide your revised procedures and describe steps you have taken to retrain employees to ensure retention of complete electronic raw data for all laboratory instrumentation and equipment. Also, provide a detailed description of the responsibilities of your quality control laboratory management, and quality assurance unit for performing analytical data review and assuring integrity (including reconcilability) of all data generated by your laboratory.”
View the original warning letter.
“Failure to validate computer software for its intended use according to an established protocol when computers or automated data processing systems are used as part of production or the quality system, as required by 21 CFR 820.70(i).
For example, your firm uses the software [redacted], developed by [redacted], to document, maintain, and track customer complaints electronically. However, as stated by your firm’s Director of Quality Assurance (QA) & Regulatory Affairs (RA) during the inspection, the software does not generate time-stamped audit trails to independently record the date and time of operator entries and actions that create, edit, or modify electronic records.”
View the original warning letter.
” Quotes from the Notice:
The company failed to ensure the integrity of data:…
Batch numbers were not electronically recorded…
Hundreds of trial injections… in sequence… were seen in folder c:…
Data was found to be deleted for several runs…
The backups could not be restored during the inspection.
Instrument audit trails were not available…
An analyst was seen in process of taking tablet weight data from a calculation spreadsheet in Excel and writing the values down in his analytical test sheet as if these were the raw weighing values.”
View the original Notice of Concern.
“”CAPA QS-13-006 identified corrective actions to your firm’s software validation procedure and identified 50 software processes that were not validated. Your firm closed the CAPA as effective on April 15, 2015; however, the validations for 38 of the identified software processes were not completed [Kurihara-shi, Miyagi].
The adequacy of your firm’s responses cannot be determined at this time. Your firm initiated a CAPA to address the above deficiencies. However, your firm has not completed implementation of its corrective actions and CAPA effectiveness verifications for this observation.”
View the original warning letter.
Failure to establish and maintain procedures for validating the device design, as required by 21 CFR 820.30(g).
…
“From 11/9/2014-5/25/2015, a total of 125 complaints were received and documented informally in emails and on a spreadsheet. Complaint form, #211.2.A, which is required to be completed per your Complaint Handling procedure, was not completed for each of these complaints…
Data sources are not being analyzed to identify existing and potential causes of nonconforming product or other quality problems, as required by 21 CFR 820.100(a)(1)…
Your response is not adequate. Although it states that data sources will be reviewed by management on a regular basis as part of management review, you do not address conducting a retrospective review of these data sources to determine if there are any existing and potential causes of nonconforming product or other quality issues that have not been identified. Also, you did not provide a copy of the applicable procedures that address the type of statistical analysis that will be performed on each data source.”
View the original warning letter.
“Failure to establish and maintain design validation procedures to ensure that devices conform to defined user needs and intended uses and shall include testing of production units under actual or simulated use conditions, as required by 21 CFR 820.30(g).
During an inspection of your firm located in Round Rock, Texason June 16, 2015 through July 2, 2015, an investigator from the United States Food and Drug Administration (FDA) determined that your firm is a manufacturer of the ECG Check Application and ECG Check Wireless Lead Cardiac Monitor (ECG Check Monitor)…
Your firm’s “Design Validations” procedure Revision 1 dated May 22, 2015, states software should be tested according to a test plan and requires the results of this software validation to be maintained in the design history file (DHF). Your firm does not have any records demonstrating the ECG Check Application software was validated.”
View the original warning letter.