Failure to prevent unauthorized access or changes to data, and to provide adequate controls to prevent manipulation and omission of data.
During the inspection, an FDA investigator discovered a lack of basic laboratory controls to prevent changes to your firm’s electronically stored data and paper records. Your firm relied on incomplete records to evaluate the quality of your drugs and to determine whether your drugs conformed with established specifications and standards.
…..Specifically, your Quality Control (QC) analysts used administrator privileges and passwords to manipulate your high performance liquid chromatography (HPLC) computer clock to alter the recorded chronology of laboratory testing events.
View the original warning letter.
Your firm has not performed software validation [redacted]. These programs are used in the Starlight laser product family.
b. The software validation for [redacted] is inadequate, in that the [redacted]. This message occurs when either the maximum voltage (6V) is exceeded, or the actual voltage is higher than the reference voltage associated with the intensity selected by the operator.
Failure to validate computer software for its intended use according to an established protocol, when computers or automated data processing systems are used as part of production or the quality system, as required by 21 CFR 820.70(i). For example, your firm has not validated the following software used in its quality system:
View the original warning letter.
Notification to Pharmaceutical Companies: Clinical and Bioanalytical Studies Conducted by Semler Research Are Unacceptable
“FDA is notifying sponsors of New Drug Applications (NDAs) and Abbreviated New Drug Applications (ANDAs) that clinical and bioanalytical studies conducted by Semler Research Private Limited (Semler) located in Bangalore, India, are not acceptable as a result of data integrity concerns, and need to be repeated… The inspection found significant instances of misconduct and violations of federal regulations, including the substitution and manipulation of study subject samples.
“Specifically, the WHO examined company computer servers and found a spreadsheet file containing detailed instructions for manipulating drug samples that were used in clinical trials for its clients.”
View the original warning letter.
Failure of computerized systems to have sufficient controls to prevent unauthorized access or changes to data.
Your firm’s computer system for entering test results and storing certificates of analysis (CoA), which document whether a drug meets specifications, does not have sufficient controls to prevent unauthorized changes to a CoA after quality unit approval.
During the inspection, our investigator reviewed [redacted] CoA stored on computer #16, all of which were approved by the quality unit. A manager demonstrated for our investigator how results on an already finalized CoA could be manipulated after the formal quality unit approval. Also, the quality unit’s electronic signatures on these CoA were uncontrolled images of signatures rather than certificate-based electronic signatures.
View the original warning letter.
Your firm failed to ensure that laboratory records included complete data derived from all tests necessary to assure compliance with established specifications and standards (21 CFR 211.194(a)).
During our inspection, we observed multiple examples of incomplete, inaccurate, or falsified laboratory records.
View the original warning letter.
Failure to establish and maintain adequate procedures for implementing corrective and preventive action (CAPA), as required by 21 CFR 820.100(a). For example:
a. Your firm’s CAPA procedure, [redacted], only requires that nonconformances will be reviewed every [redacted]. However, the procedure does not require analysis of quality data, including quality records, complaints and returned products, for potential CAPA.
View the original warning letter.
Failure to establish and maintain adequate procedures for the identification, documentation, validation, or where appropriate verification, review, and approval of design changes before their implementation, as required by 21 CFR 820.30(i). For example: your firm has not validated or documented software changes for the Omega XP Laser System; Omega XP-Clinic Laser System; and Omega Excel Laser System.
View the original warning letter.
Failure to ensure that when computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol, as required by 21 CFR 820.70(i). For example, your firm has not validated the software, [redacted], used to manage various activities such as complaints, CAPAs, repairs, servicing, internal and external audits, and warranty service. Your firm has been utilizing this software since January 2011
View the original warning letter.
“Your firm failed to establish appropriate controls over computers and related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel (21 CFR 211. 68(b)).
You lacked audit trails or other sufficient controls to facilitate traceability of the individuals who access each of the programmable logic controller (PLC) levels or Man-Machine Interface (MMI) equipment. You had no way to verify that individuals have not changed, adjusted, or modified equipment operation parameters.”
View the original warning letter.
“2. Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data.
Your laboratory systems lacked access controls to prevent raw data from being deleted or altered. For example:
a. During the inspection, we noted that you had no unique usernames, passwords, or user access levelsfor analysts on multiple laboratory systems. All laboratory employees were granted full privileges to the computer systems. They could delete or alter chromatograms, methods, integration parameters, and data acquisition date and time stamps. You used data generated by these unprotected and uncontrolled systems to evaluate API quality.
b. Multiple instruments had no audit trail functions to record data changes.
…
3. Failure to maintain complete data derived from all testing, and to ensure compliance with established specifications and standards.
Because you discarded necessary chromatographic information such as integration parameters and injection sequences from test records, you relied on incomplete records to evaluate the quality of your APIs and to determine whether your APIs conformed with established specifications and standards. For example:
a. During the inspection, the investigator found no procedures for manual integration or review of electronic and printed analytical data for [redacted] stability samples. Electronic integration parameters were not saved or recorded manually. When the next samples were analyzed, the previous parameters were overwritten during the subsequent analyses.
…
i. Your HPLC 14 computer files included raw data for undocumented [redacted] stability samples analyzed on December 30, 2013, but no indication of where these samples came from and why they were tested.
ii. In a data file folder created on May 22, 2013, 23 chromatograms were identified as stability samples for [redacted] lots [redacted], and [redacted]. Results were not documented. More importantly, the acquisition date was July 7, 2013, more than six weeks after the samples were run.
iii. (b)(4) lots (b)(4) and (b)(4) were not in your stability study records at the time of inspection. Additionally, there were no log notes of any samples from the three lots removed from the stability chamber.
…
In response to this letter, provide your revised procedures and describe steps you have taken to retrain employees to ensure retention of complete electronic raw data for all laboratory instrumentation and equipment. Also, provide a detailed description of the responsibilities of your quality control laboratory management, and quality assurance unit for performing analytical data review and assuring integrity (including reconcilability) of all data generated by your laboratory.”
View the original warning letter.