Warning Letter – Sun Pharmaceutical Industries Limited

Sun Pharmaceutical Industries Limited
Product: pharmaceutical manufacturing facility
Date:5/7/2014

1. Failure to ensure that laboratory records included complete data derived from all tests necessary to ensure compliance with established specifications and standards.
our firm frequently performs ?unofficial testing? of samples, disregards the results, and reports results from additional tests. For example, during stability testing, your firm tested a batch sample six times and subsequently deleted this data.

Our investigators found your practice of performing initial ?trial? sample high performance liquid chromatography (HPLC) analyses prior to acquiring the ?official? analyses. The ?trial? sample results were subsequently discarded. ?Trial? HPLC analyses for (b)(4) USP ((b)(4)) were apparently run as part of the 12-month long-term stability studies on batch #(b)(4) for related substances. The inspection revealed that on August 26, 2011, your employee ran an HPLC analysis sequence with the sample names (b)(4) and subsequently deleted the raw data files. It was noted that the assigned names for the sequence injections indicates that your quality control staff named the samples using the last three digits of the batch numbers to link the “trial” injections for the batches with the official assay analyses. Your Senior Quality Control (QC) Officer confirmed that these were analyses of batch samples. Furthermore, we found that on August 27, 2011, this batch was analyzed for unknown impurities and the results were reported to be within specifications. However, the chromatographic data showed that the “trial” injection data for this batch failed the unknown impurities specification of (b)(4)% in multiple cases.

Your Senior QC Officer confirmed that QC laboratory employees had frequently practiced the use of ?trial? injections at your facility. Significantly, in addition to the example above, our inspection found 5,301 deleted chromatograms on a computer used to operate two HLPC instruments in your QC laboratory. Many of these files were ?trial? injections of batches.
n addition, the inspection revealed numerous examples of deleted GC electronic raw data files on the computer controlling the GC instruments that were replaced with identical ?official? chromatogram file names. The identically named GC data files that were deleted had been created at different times and contained disparate data. Also, it appeared that data was not consistently archived to the central server.

Your response is inadequate in that you did not conduct an adequate investigation into the pervasive practice of deleting files. In the reports provided in your response, you did not identify what criteria you used to designate each type of HPLC and GC data files (e.g. blanks, standards, samples, and system suitability runs). The response does not identify any impurity standards used in your procedures and does not provide the procedures that your firm was using to conduct the ?trial? and ?unofficial? runs. In addition, your investigation found 47 instances of apparent trial injections of samples for which the results were out-of?specification (OOS), and some of these batches were distributed to the U.S. market. The investigation failed to adequately examine why your analysts hid or deleted these runs. Your response only explains that your firm chose to retest samples from the implicated lots, but does not address the causes of the original OOS results, or justify the basis of your decision to invalidate the original failing result and accept the passing retest result. Such an investigation is necessary for any OOS event. Refer to the FDA?s guidance on OOS investigations Guidance for Industry, Investigating Out-of-Specification (OOS), Test Results for Pharmaceutical Production.

The above examples suggest a general lack of reliability and accuracy of data generated by your firm’s laboratory, which is a serious CGMP deficiency that raises concerns about the integrity of all data generated by your firm. We are concerned that your laboratory allowed the practice of “trial” injections and deletion of both GC and HPLC files to persist without implementation of controls to prevent data manipulation until at least September 2013. Your company?s executive management is responsible for ensuring the quality, safety, and integrity of your products. Implementing adequate controls and systems to prevent manipulation of laboratory data is at the foundation of fulfilling this critical responsibility.

Our investigators also observed significant violations regarding the finished drug product manufacturing operations at your facility, including, but not limited to, the following:

1. Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records (21 CFR 211.68(b)).

The investigator identified numerous deleted raw data files on computers used for your GC instruments in your quality control laboratory. The software (?GC Solutions?) on the computers used to control the GC instruments allowed your analysts to delete files from the computer?s hard drive with no audit trail or other adequate form of traceability in the operating system to document the deletion activity. The software as configured assigned sequential, numerical names to raw data files within the same folder. When a raw data file was deleted or moved out of the designated folder, the next file recorded into the folder would be saved with an identical name as the deleted file. As a result, data can be manipulated so that saved files appear to be in sequence even if they were not generated sequentially. Due to the basic lack of audit trail and data security, an analyst could delete analytical files without traceability of this unacceptable practice.

The inspection revealed that you stored GC raw data files in multiple folders on the hard drives in the QC laboratory. Your Senior QC Officer stated you had no written procedure describing the management of GC raw data file storage. According to your firm’s electronic data archival SOP IT-001, each QC analyst manually transferred individual raw data files to the central server at (b)(4). Your procedure did not address how this data transfer by QC analysts could be reliably verified, and whether proper computerized system controls will be implemented by your company.

We acknowledge your firm?s commitment to amend the data handling system of your GC instruments to implement controls that ensure that analyses performed by employees are maintained as accurate, with data integrity and traceability. In your response to this letter, describe your detailed systemic improvements, training activities, and other actions implemented to provide evidence of the effectiveness and sustainability of these changes.

FDA District Office: Center for Drug Evaluation and Research

About the author

Amy enjoys researching and writing about developments in medical technology and how that intersects with US law. She received her J.D. from the University of Florida Levin College of Law in 2020 and now works as a Regulatory Associate for SoftwareCPR®, a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software.

SoftwareCPR Training Courses:

Being Agile & Yet Compliant (Public)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for registration!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

3 days virtual (Zoom) with group exercises, quizzes, examples, Q&A.

Lead Instructor: Mike Russell

Next public offering: Dec 3, 4, & 5, 2024 – 12:00 pm to 5:00 pm CET

Register Now


 

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Call or email now to schedule a private, in-house class. The fall schedule is filling up!

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.