- Delivery Method:
- VIA UPS
Recipient NameMr. Marcelo C. Mansur
Recipient TitleCEO and President
- Nortec Quimica SA
Rua Dezessete, 200, Distrito Industrial
Duque de Caxias-RJ
- Issuing Office:
- Center for Drug Evaluation and Research | CDER
Warning Letter 320-23-07
December 8, 2022
Dear Mr. Mansur:
The U.S. Food and Drug Administration (FDA) inspected your drug manufacturing facility, Nortec Quimica SA, FEI 3007616930, at Rua Dezessete, 200, Distrito Industrial, Xerem, Duque de Caxias, Rio de Janeiro from July 18 to 22, 2022.
This warning letter summarizes significant deviations from current good manufacturing practice (CGMP) for active pharmaceutical ingredients (API).
Because your methods, facilities, or controls for manufacturing, processing, packing, or holding do not conform to CGMP, your API are adulterated within the meaning of section 501(a)(2)(B) of the Federal Food, Drug, and Cosmetic Act (FD&C Act), 21 U.S.C. 351(a)(2)(B).
We reviewed your August 11, 2022, response to our Form FDA 483 in detail and acknowledge receipt of your subsequent correspondence.
During our inspection, our investigator observed specific deviations including, but not limited to, the following.
1. Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and failure to have adequate controls to prevent omission of data.
Your firm did not have system security and access control over its electronic data and software systems.
Your analysts had access to delete and overwrite data. Our investigator observed over 100 deleted files in the recycle bins on the infrared (IR) spectrophotometer computer and on the ultraviolet-visible (UV-Vis) spectrophotometer computer. Specifically, multiple deleted analytical files had batch numbers in the filename and included files related to (b)(4) API, which your firm exports to the United States. The investigator also observed that the stand-alone computer systems for your UV-Vis and IR spectrophotometers failed to have usernames attributable to specific individuals, and instead used a common username. No password was required to sign into the Windows operating system, nor did the analytical software require any additional user log in. Further, you did not back up your stand-alone computers used to operate your UV-Vis and IR spectrophotometers.
To ensure data integrity, actions performed must be attributable to a specific individual in your CGMP computer systems, and equipment should be appropriately controlled to prevent deletion and/or changes except by authorized personnel.
In your response, you state you restricted access and permissions in the automated data system, implemented back-up practices for stand-alone computerized systems, and opened an investigation to review the content of the files found in the recycle bins. However, your response is inadequate because it does not address the overall lack of traceability of previous drug analyses, nor does it include a comprehensive strategy to confirm the validity of the previous analytical data used to release drugs. In addition, you also have not shown how these controls ensure that the records relied upon for batch release and other quality review decisions are complete and accurate.
In your response to this letter, provide:
• A comprehensive, third-party assessment and corrective action and preventive action (CAPA) plan for computer system security and integrity. Include a report that identifies vulnerabilities in the design and controls, and appropriate remediations for each of your laboratory computer systems. This should include, but not be limited to:
o A list of all hardware that includes all equipment, both standalone and network, in your laboratory.
o Identification of vulnerabilities in hardware, software, and non-networked systems (e.g., PLC).
o A list of all software configurations (both equipment software and LIMS), details of all user privileges up to an including administrator rights, and oversight roles for each of your laboratory systems. Regarding user privileges, specify user roles and associated user privileges (including the specific permissions allowed for those with administrative privileges) for all staff levels who have access to the laboratory computer systems, and their organizational affiliation and title.
o System security provisions, including but not limited to, whether unique usernames/passwords are always used, and their confidentiality safeguarded.
o A detailed summary of your procedural updates and associated training for user role assignment and controls.
o Your remediated program for ensuring strict ongoing control over electronic data to ensure that all additions, deletions, or modifications of information in your electronic records are authorized, and all data is retained.
o Your remediated program for ensuring strict ongoing control over paper-based data to ensure that all additions, deletions, or modifications of information in your electronic records are authorized, and all data is retained.
o Provisions for oversight from quality assurance (QA) managers, executives, and internal auditors with appropriate IT expertise (e.g., infrastructure; configuration; network requirements; segregation of duties including administrator rights).
o An enhanced standard operating procedure (SOP) that ensures that all quality control tests, irrespective of whether captured in paper-based or electronic systems, are performed appropriately by an analyst, and receive second-tier review from a separate responsible (e.g., manager) individual.
o Technological improvements to increase the integration of data generated through electronic systems from standalone equipment (e.g., balances, pH meters, water content testing) into the LIMS network.
o Detailed procedures for your review of audit trail data.
o Interim control measures and procedural changes for the control, review, and full retention of laboratory data.
2. Failure of your quality unit to review batch production records and laboratory control records prior to distribution of an API batch.
Your quality unit (QU) failed to have well-defined processes or other sufficient control systems to ensure the adequate evaluation of batch related documentation before release of the API for distribution.
Responsibilities of the Quality Unit
Your QU did not review the complete record of the raw data generated during each test in the software for your chromatography system. For example, the QU did not review the spectra data in the system and applicable audit trails to ensure appropriate methods were used, the sequence was set up properly, and manual integration was performed adequately.
In your response, you state that you plan to implement a process to perform the electronic review of the data generated by the chromatography software and perform a risk assessment of analytical data generated for the release and stability of the API commercially distributed in the United States in the last two years. However, your response is inadequate because it lacks sufficient details describing the process of how the electronic review of this existing data would be performed, such as whether the reviewer will evaluate the complete record of the raw data generated during each test from the chromatography systems in terms of chromatography methods, injection sequences, and system suitability. In addition, your response does not describe how the verification of the manual integration practices used during peak quantitation will be accomplished to ensure the adequate determination of the peak areas.
Laboratory Control Records
Your QU failed to ensure there are basic controls in place to prevent changes to your CGMP documentation. For example, the “analytical worksheet forms” used for recording testing results in the quality control (QC) laboratory are not controlled as there was no unique number, signature, or any other traceable element on the forms themselves to identify when or by whom it was issued.
In your response, you state that you plan to implement a process to ensure the traceability of “analytical worksheet forms.” However, your response is inadequate because it did not provide sufficient details to describe the process of how these documents would be managed after they had been issued nor did you propose to investigate the overall lack of traceability for the previous drug analyses or perform a risk assessment to review the impact of incomplete analytical data records on your evaluation of API quality.
Your QU must review all the raw data generated during each test and all the completed laboratory control records when making batch release decisions.
In response to this letter, provide:
• An overview of the controls you will implement to ensure that any manual integration steps are performed only under defined, limited circumstances according to a protocol approved and supervised by your QU.
• A comprehensive review of all instances of chromatographic manual integration for your UV-Vis and IR spectrophotometers for U.S. marketed products within expiry. Provide scientific justification for the manual integration parameters you used for your analysis. For integrations that lacked scientific justification, provide your plan for reintegration with appropriate reintegration parameters. Assess whether reintegration results comply with your established API acceptance criteria. If out-of-specification (OOS) results are identified, provide the actions taken to ensure the quality of your drugs.
• A reanalysis plan for all batches within retest dates that were released for U.S. marketed products within expiry.
• A complete assessment of documentation systems used throughout your manufacturing and laboratory operations to determine where documentation practices are insufficient. Include a detailed CAPA plan that comprehensively remediates your firm’s documentation practices to ensure you retain attributable, legible, complete, original, accurate, contemporaneous records throughout your operation.
Data Integrity Remediation
Your quality system does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you manufacture. See FDA’s guidance document Data Integrity and Compliance With Drug CGMP for guidance on establishing and following CGMP compliant data integrity practices at: https://www.fda.gov/files/drugs/published/Data-Integrity-and-Compliance-With-Current-Good-Manufacturing-Practice-Guidance-for-Industry.pdf.
In response to this letter, provide:
A. A comprehensive investigation into the extent of the inaccuracies in data records and reporting including results of the data review for drugs distributed to the United States. Include a detailed description of the scope and root causes of your data integrity lapses.
B. A current risk assessment of the potential effects of the observed failures on the quality of your drugs. Your assessment should include analyses of the risks to patients caused by the release of drugs affected by a lapse of data integrity and analyses of the risks posed by ongoing operations.
C. A management strategy for your firm that includes the details of your global CAPA plan. The detailed corrective action plan should describe how you intend to ensure the reliability and completeness of all data generated by your firm including microbiological and analytical data, manufacturing records, and all data submitted to FDA.
CGMP Consultant Recommended
Based upon the nature of the deviations we identified at your firm, you should engage a consultant qualified as set forth in 21 CFR 211.34 to assist your firm in meeting CGMP requirements. The qualified consultant should also perform a comprehensive audit of your entire operation for CGMP compliance and evaluate the completion and efficacy of your CAPAs before you pursue resolution of your firm’s compliance status with FDA.
The deviations cited in this letter are not intended to be an all-inclusive list of deviations that exist at your facility. You are responsible for investigating and determining the causes of any deviations and for preventing their recurrence or the occurrence of other deviations.
Correct any deviations promptly. FDA may withhold approval of new applications or supplements listing your firm as a drug manufacturer until any deviations are completely addressed and we confirm your compliance with CGMP. We may re-inspect to verify that you have completed corrective actions to any deviations.
Failure to address any deviations may also result in the FDA refusing admission of articles manufactured at Nortec Quimica SA, Rua Dezessete, 200, Distrito Industrial, Xerem, Duque de Caxias, Rio de Janeiro, into the United States under section 801(a)(3) of the FD&C Act, 21 U.S.C. 381(a)(3). Articles under this authority that appear to be adulterated may be detained or refused admission, in that the methods and controls used in their manufacture do not appear to conform to CGMP within the meaning of section 501(a)(2)(B) of the FD&C Act, 21 U.S.C. 351(a)(2)(B).
This letter notifies you of our findings and provides you an opportunity to address the above deficiencies. After you receive this letter, respond to this office in writing within 15 working days1. Specify what you have done to address any deviations and to prevent their recurrence. In response to this letter, you may provide additional information for our consideration as we continue to assess your activities and practices. If you cannot complete corrective actions within 15 working days, state your reasons for delay and your schedule for completion.
Send your electronic reply to CDER-OC-OMQ-Communications@fda.hhs.gov. Identify your response with FEI 3007616930 and ATTN: Frank Wackes.
Office of Manufacturing Quality
Office of Compliance
Center for Drug Evaluation and Research
1 Under program enhancements for the Generic Drug User Fee Amendments (GDUFA) reauthorization for fiscal years (FYs) 2023-2027, also known as the GDUFA III Commitment Letter, your facility may be eligible for a Post-Warning Letter Meeting to obtain preliminary feedback from FDA on the adequacy and completeness of your corrective action plans.