Warning Letter – Cybersecurity of Electronic Records

Yuki Gosei Kogyo Co., Ltd.
Date:8/10/18

Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and failure to have adequate controls to prevent omission of data. Your firm’s controls over your HPLC systems are inadequate. Some HPLC systems did not have audit trail capability or audit trails enabled. In addition, unique user names and passwords were not required to perform HPLC activities. You stated that you did not create unique usernames and passwords so that operators in different (b)(4) could continue what previous operators had initiated. In your annual product reviews, you used unprotected Excel worksheets to perform calculations and statistical evaluations of production data, such as standard deviation and process capability. These electronic files were not secured to prevent unauthorized changes, and have no change history. Your firm’s lack of data control calls the reliability of your data into question. Your response stated that you stopped operating these HPLC systems without audit trail capability. Your response also stated that you will create a procedure for control of your electronic worksheets. Your response is inadequate because you have not assessed the effects of using data from uncontrolled HPLC systems or unsecured worksheets on your products. In response to this letter, provide a comprehensive, independent review of controls and procedures for electronic data generated from all of your laboratory equipment. Based on this review, provide a detailed corrective action and preventive action (CAPA) plan to remediate laboratory systems, including but not limited to data creation, modification, maintenance, retention, and system security. Your plan should also include the process you will use to evaluate CAPA effectiveness. Data Integrity Remediation Your quality system does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you manufacture. We acknowledge that you are using a consultant to audit your operation and assist in meeting FDA requirements. Each third-party consultant used by your firm must be qualified for their specific assigned function, including data integrity remediation. In response to this letter, provide the following. A. A comprehensive investigation into the extent of the inaccuracies in data records and reporting. Your investigation should include: A detailed investigation protocol and methodology; a summary of all laboratories, manufacturing operations, and systems to be covered by the assessment; and a justification for any part of your operation that you propose to exclude. Interviews of current and former employees to identify the nature, scope, and root cause of data inaccuracies. We recommend that these interviews be conducted by a qualified third party. An assessment of the extent of data integrity deficiencies at your facility. Identify omissions, alterations, deletions, record destruction, non-contemporaneous record completion, and other deficiencies. Describe all parts of your facility’s operations in which you discovered data integrity lapses. A comprehensive retrospective evaluation of the nature of the testing, manufacturing, and other data integrity deficiencies. We recommend that a qualified third party with specific expertise in the area where potential breaches were identified should evaluate all data integrity lapses. B. A current risk assessment of the potential effects of the observed failures on the quality of your drugs. Your assessment should include analysesof the risks to patients caused by the release of drugs affected by a lapse of data integrity, and risks posed by ongoing operations.

Schedule Discussion with John F. Murray, Jr.

John is currently providing telephone and face-to-face meetings to discuss:  Cybersecurity, Part 11, 483 Response, design controls expectations for software documentation, and other topics.

Leave a message and we will contact you to schedule:

Corporate Office

+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TN) and Italy.