Observation
1. Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).
Your firm manufactures over-the-counter (OTC) drug products, including alcohol-based hand sanitizers[1]. During the inspection of your facility, our investigator attempted to review analytical data from your gas chromatograph (GC) supporting the release of drug products distributed to the United States. However, your firm stated that all testing data from 2018 to 2020 was lost approximately one month prior to the initiation of our inspection. The GC is used to analyze the identity and strength of active ingredients and impurities contained in your OTC drug products, as well as other critical parameters. According to firm management, the data is unrecoverable. While your firm retained a static copy of laboratory records for review (i.e., paper record), they were inadequate as they did not preserve the dynamic record format of the full chromatographs to support test results and they did not include system suitability documentation that are part of the complete, original record.
Additionally, our investigator observed that the computerized system and software associated with your GC lacked restricted access. For example, your laboratory employees who used the GC to perform analyses of drug products all logged in as “System Administrator,” which does not require a password, and had full system administration rights. In addition, audit trails on your GC were not enabled.
Furthermore, you did not retain all original, dynamic records, obtained during the course of testing on other laboratory equipment. Your viscometer and UV-Vis spectrophotometer had the capability to save data from product/material testing. Despite having this capability, your analysts failed to save the complete, dynamic testing data, and therefore the data was not available for review by the FDA investigator. The viscometer is used to measure the viscosity of finished drug products during release testing and the UV-Vis spectrophotometer is used to measure ethanol content during raw material testing.
Your firm also utilizes electronic spreadsheets to input data for your stability program. However, these spreadsheets are not controlled and there is no protection to prevent data manipulation, overwriting, or erasure.
In your response, you indicated that you purchased and/or installed additional equipment to address this violation, including, but not limited to, an uninterrupted power source, remote hard drive, electrical equipment, and new software. Your response also states that you have updated and developed associated procedures, created individual accounts for all personnel that utilize laboratory equipment, and conducted accompanying trainings. However, your response is inadequate because it lacked supporting documentation, including evidence to support that the computer security controls were effective at preventing data and document manipulation. Additionally, you did not perform a retrospective risk assessment into how system vulnerabilities may have impacted data integrity.
Your firm does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you manufacture.
Comment
See FDA’s guidance document Data Integrity and Compliance With Drug CGMP for guidance on establishing and following CGMP compliant data integrity practices at https://www.fda.gov/media/97005/download.
Provide Followings as part of resolution
• A comprehensive investigation into the extent of the inaccuracies in data records and reporting including results of the data review for drugs distributed to the United States. Include a detailed description of the scope and root causes of your data integrity lapses. • A current risk assessment of the potential effects of the observed failures on the quality of your drugs. Your assessment should include analyses of the risks to patients caused by the release of drugs affected by a lapse of data integrity and analyses of the risks posed by ongoing operations. • A management strategy for your firm that includes the details of your global corrective action and preventive action plan. The detailed corrective action plan should describe how you intend to ensure the reliability and completeness of all data generated by your firm including microbiological and analytical data, manufacturing records, and all data submitted to FDA. • A complete assessment of documentation systems used throughout your manufacturing and laboratory operations to determine where documentation practices are insufficient. Include a detailed Corrective Action and Preventive Action (CAPA) plan that comprehensively remediates your firm’s documentation practices to ensure you retain attributable, legible, complete, original, accurate, contemporaneous records throughout your operation. • A comprehensive, independent assessment and CAPA plan for computer system security and integrity. Include a report that identifies design and control vulnerabilities, and appropriate remediations for each of your laboratory computer systems. This should include, but not be limited to: o A list of all hardware that includes all equipment, both standalone and network, in your laboratory. o Identification of vulnerabilities in hardware and software, encompassing both networked and non-networked systems. o A list of all software configurations and versions, details of all user privileges, and oversight responsibilities for each of your laboratory systems. Regarding user privileges, specify user roles and associated user privileges (including the specific permissions allowed for anyone who has administrative rights) for all staff who have access to the laboratory computer systems, and their organizational affiliations and titles. Also describe how you will ensure laboratory staff are not given administrative rights, or other permissions that compromise data retention or reliability. o System security provisions, including, but not limited to, whether unique user names/passwords are always used, and their confidentiality safeguarded. o Detailed procedures for robust use and review of audit trail data, and current status of audit trail implementation for each of your systems. o Interim control measures and procedural changes for the control, review, and full retention of laboratory data. o A detailed summary of your procedural updates and associated training, including but not limited to system security control to prevent unauthorized access, appropriate user role assignments, secondary review of all analyses, and other system controls. o Provisions for oversight by QA managers, executives, and internal auditors with appropriate information technology (IT) expertise (e.g., to evaluate infrastructure, configuration, network requirements, data management practices, and segregation of duties including administrator rights). o A remediated program for ensuring strict ongoing control over electronic and paper-based data to ensure that all additions, deletions, or modifications of information in your records are authorized, and all data is retained. Include a full CAPA plan and any improvements made to date. o An independent, thorough retrospective assessment into the impact of laboratory system design, control, and staff practices on your data accuracy, completeness, and retention since January 1, 2018. • A comprehensive, independent assessment of your change management system. This assessment should include, but not be limited to, your procedure(s) to ensure changes are justified, reviewed, and approved by your quality unit. Your change management program should also include provisions for determining change effectiveness.
Address: 17 A Suryadev Nagar, Indore (M. P.)
5-46/1 Chanda Nagar Hyderabad (Telangana)
Email: info@companysconnects.com
WhatsApp/Call: +91- 9691633901, +91- 8839538846
Website: https://www.companysconnects.com/