Current FDA's Warning Letters on IT Topics - Part 2: Finished Medicinal Products and APIs
Recommendation
11-13 December 2024
In a first stage of escalation - when serious GMP deviations are identified during inspections, or in case of insufficient corrective measures - the FDA issues a Warning Letter to the companies concerned. Within 15 working days, the companies in question have to undertake concrete action plans to redress those deviations. If these action plans are evaluated as insufficient by the Agency, further escalation levels may follow.
Some Warning Letters from 2014 also list GMP deficiencies with regard to IT topics. Not a single Warning Letter has been exclusively issued just because of IT issues, though. But taken together, all the GMP deviations in a company were so serious that the Agency issued a Warning Letter which also included deviations related to IT.
All in all, 7 Warning Letters from 2014 contain topics with regard to IT. 4 Warning Letters have been issued for manufacturers of medical devices, 2 Warning Letters for manufacturers of medicinal products and 1 Warning Letter for an API manufacturer. In part I of our news on IT-related Warning Letters we covered those regarding medical devices. Following you will find letters with regard to finished medicinal products and APIs.
IT-related Warning Letters on finished medicinal products and APIs
IT-related Warning Letters for manufacturers of finished medicinal products always refer to 21 CFR 211.68 (b): "Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records "21 CFR 211.68 (b)" .
With regard to that area, the Warning Letter issued for the company USV Limited criticises many items and has generally recorded the absence of appropriate provisions for the application of computerised systems. In detail, the following critical points are mentioned:
- Current computer users in der laboratory were able to delete data from analyses
- The audit trail function for a GC and a XRD system was disabled at the time of the inspection. Therefore the firm lacks records for the acquisition, or modification, of laboratory data
- QC lab personnel shared login IDs for HPLC units. The lab staff shared one login ID for the XRD unit. Analysts also shared the username and password for the Windows operating system for the GC workstation and no computer lock mechanism had been configured to prevent unauthorized access to the operation system
- There was no procedure for the backup and protection of data on the GC standalone workstations
- In the response the firm lacks assurance that the periodic backed up data include all of the original data generated
- Also the questions regarding Audit Trails and access controls have been either unanswered or insufficiently answered.
Also the Warning Letter for the company Sun Pharmaceutical Industries lists several critical comments:
- Numerous deleted raw data files on computers used for the GC instruments in the QC lab. The software on the computers used to control the GC instruments allowed the analysts to delete files from the hard drive with no audit trail or adequate form of traceability in the operating system to document deletion activity
- The software as configured assigned sequential, numerical names to raw data files within the same folder. When a raw data file was deleted or moved out of the designated folder, the next file recorded into the folder would be saved with an identical name as the deleted file. As a result, data can be manipulated so that saved files appear to be in sequence even if they were not generated sequentially
- Due to the basic lack of audit trail and data security, an analyst could delete analytical files without traceability - an unacceptable practice from the FDAs point of view
The Warning Letter for the API manufacturer Trifarma doesn't refer to the respective sections from the CFR. Yet, here again it focused on possible unauthorised manipulation of raw data in the lab. Corresponding provisions were inexistent. Concretely, the following aspects have been addressed:
- The laboratory systems did not have access controls to prevent deletion or alteration of raw data
- All laboratory employees were granted full privileges to the computer systems
- HPLC and GC computer software lacked active audit trail functions to record changes to data, including information on original results, the identity of the person making the change, and the date of the change
- The response did not describe the audit trails for the processing of the data on your system.
- The response also states the firm has begun to retain electronic raw data on the local hard drive, but without proper safeguards to ensure they cannot be deleted prematurely
From the authority's view, the current focus of IT-topics generally concerns the question of data and system security, particularly the traceability of changes by means of Audit Trails.