FDA investigators issued a 483 to a firm that generated Certificates of Analysis (COAs) for repackaged APIs on uncontrolled Word documents. These files lacked unique usernames, passwords, or audit trails, meaning COAs could be created, modified, or deleted without accountability.
Even more concerning, the same inspection revealed that the firm’s Gas Chromatography-Mass Spectrometry software allowed analysts to delete and modify data without restrictions. There were no audit trails, no individual analyst logins, and even the system clock could be manipulated. These weaknesses make it nearly impossible to ensure the integrity of analytical results.
FDA’s guidance on data integrity is clear: all records must be attributable, legible, contemporaneous, original, and accurate (ALCOA). Generating COAs outside of a controlled system, or operating analytical instruments without audit trails, undermines every one of these principles.
Data integrity is as critical as product quality. Without proper controls, firms risk: Undetected falsification or manipulation of data, invalid release decisions based on potentially inaccurate COAs, and the loss of trust with FDA and clients.
The 483 reads as follows:
…..Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel.
Specifically, your firm generates certificate of analysis (COA) for all repackage APIs on an uncontrolled word document that lacks a required unique username/password combination. For example, your firm generated a COA for the API, …, manufacture lot …, Batch #…. There are no controls in place to monitor the creation, deletion, or distribution of COAs in the uncontrolled word document.
Additionally, your firm lacks an audit trail functionality for both the electronic software used to generate labels and the uncontrolled word document used to generate COAs for repackaged and distributed APIs.
