On August 4, 2021, the FDA issued a Warning Letter to the Chinese company BBC Group Limited, among others a manufacturer of hand sanitizers, based on an inspection in March 2021. The company's responses of April 13, 2021 to the complaints listed in the Form 483 were insufficient in the FDA's view. FDA Warning Letters always reference the GMP requirements set forth in 21 CFR Part 211, in this case for data integrity complaints:
"Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(a))"
When attempting to evaluate analytical data from a gas chromatograph, the inspector received the response that all test data from 2018 - 2020 had been irrevocably lost one month before the inspection. Still existing "static" copies on paper are not sufficient because they neither contain the dynamic data of the complete chromatogram nor the complete documentation of the system suitability.
There were also no suitable access rules to the systems. All laboratory employees logged on to the GC as "system administrator". This login as "system administrator" did not require a password although all administrator rights were assigned to the "system administrator". Likewise, the audit trail function was not activated.
Analyzers had the ability to record data obtained during the analysis. However, the employee had not used this possibility and thus made it impossible for the FDA inspector to check the data.
Spreadsheets were used to enter data for the stability program. These spreadsheets were not subject to any control and there was no protection against data manipulation, overwriting or deletion.
The responses of the company were insufficient. Why?
The company said it had purchased and/or installed additional equipment to address the complaints. Procedures had also been updated and further developed, individual accounts had been set up for all employees, and more extensive training had been conducted. However, for the FDA the evidence for this was missing. There was also a lack of retrospective risk assessment of the vulnerabilities with respect to data integrity. Overall, the FDA was missing the evidence that the accuracy and integrity of quality-related data were assured.
What is the FDA expecting in answering this Warning Letter?
As is often the case with serious deviations, the FDA recommends a qualified consultant to assist in correcting the problems. In addition, the FDA lists specific actions for responding to the Warning Letter:
A comprehensive investigation of the extent of the inaccuracies in the data sets and the reports is requested, particularly with regard to medicinal products marketed in the United States. A detailed description of the scope and root causes of the data integrity deficiencies is also requested.
For the identified deficiencies, an up-to-date risk assessment should be carried out with regard to the impact of these deficiencies on the quality of the medicinal products and the risk to the patient.
It is expected that management specifies a strategy for the company with regard to a global CAPA plan. This plan should include, in particular, how the reliability and completeness of the data generated in the company will be ensured. To identify inadequate documentation practices, a complete evaluation of all documentation systems used in manufacturing and in the laboratory is required. This includes a comprehensive CAPA plan to correct documentation practices.
A comprehensive and independent assessment and CAPA plan for the security and integrity of computerized systems is required. This includes a report that identifies design and control weaknesses and appropriate corrective actions for each computerized system in the laboratory. This report is intended to address the following issues that were also mentioned almost congruently in the Warning Letter to Stason Pharmaceuticals from July 2020. Therefore, only the additional issues are mentioned: It should be explained how it is ensured that laboratory personnel do not obtain administrative rights that jeopardize data retention and reliability.
Further, a comprehensive, independent assessment of the change management system is expected. This evaluation should include, but not be limited to, the procedures used to ensure that changes are justified, reviewed, and approved by the quality department. The change management program should also include requirements for determining the effectiveness of changes.