GAMP Ireland
Regulatory Update
October 17th 2013
1
Aarti Drugs
•
Failure to implement access controls and audit trails for laboratory computer
systems.
•
For example, your firm failed to have adequate procedures for the use of
computerized systems used in the QC laboratory. At the time of the
inspections, your QC laboratory personnel shared the same username and
password for the operating systems and analytical software on each
workstation in the QC laboratory. In addition, no computer lock mechanism
had been configured to prevent unauthorized access to the operating
system. The investigator noticed that the current QC computer users are
able to delete data acquired. In addition, the investigator found that there is
no audit trail or trace in the operating system to document deletions.
•
Additionally, …….., the investigator noticed that the use of the Excel®
spreadsheets in analytical calculations are neither controlled nor protected
from modifications or deletion. The investigator noticed that the calculation
for residual solvent for XXXXXX uses an Excel spreadsheet that has not
been qualified. We are concerned about the data generated by your QC
2
laboratory from non-qualified and uncontrolled Excel spreadsheets.
Agila Specialties Private
Limited
• Your firm failed to exercise appropriate controls over computer or
related systems to assure that only authorized personnel institute
changes in master production and control records, or other
records (21 CFR 211.68(b)).
• Your firm’s “Jasco LC-Net II” HPLC instruments do not have
restrictions in place to prevent any change or deletion of analytical
raw data. Additionally, there is no audit trail in place to determine
any previous deletion of raw data.
• We acknowledge that you have discontinued usage of all Jasco
systems, and will assess previous use of the Jasco systems. In your
response, please submit an assessment of the integrity of the data
from the Jasco systems only for lots of finished product still within
expiry as of the date of this letter.
3
Fisioline s.r.l.
• Failure to validate computer software for its intended use according
to an established protocol when computers or automated data
processing systems are used as part of production or the quality
system, as required by 21 CFR 820.70(i). For example, the
software developed by your firm to record, evaluate, investigate,
correct and repair incoming technical assistance calls, complaints,
and service records was implemented in the first part of October
2012, and has not been validated. No validation documentation was
available for an established protocol, any testing data, or a finished
report for the validation of this system. Mr. Lucca Ferrua, the
Assistant Manager, indicated that your firm had not validated the
software system.
4
Fresenius Kabi
Oncology Ltd
• We observed and documented practices during the inspection that
kept some samples, data and results outside of the local systems for
assessing quality. This raises serious concerns regarding the
integrity and reliability of the data generated at your Kalyani plant.
For example,
– a. Our review of the Chromeleon and Empower II software found that your firm
was testing samples unofficially, and not reporting all results
obtained. Specifically, “test,” “trial” and “demo” injections of intermediate and
final API samples were performed, prior to performing the tests that would be
reported as the final QC results.
– b. Out-of-specification or undesirable results were ignored and not investigated.
– c. Samples were retested without a record of the reason for the retest or an
investigation. Only passing results were considered valid, and were used to
release batches of APIs intended for US distribution.
– d. Unacceptable practices in the management of electronic data were also
noted. The management of electronic data permitted unauthorized changes, as
digital computer folders and files could be easily altered or deleted.
5
FSSB Chirurgische
Nadeln Gmbh
• Failure to validate computer software for its intended use
according to an established protocol when computers or
automated data processing systems are used as part of
production or the quality system, as required by 21 CFR
820.70(i). For example, your firm uses custom automatic
machines in the needle production process. Your firm
stated that it performed software validation for the
automatic machines and that the software protocol was
tested, but these validation activities were not
documented.
6
Invatec S.p.A.
• Failure to validate computer software for its intended use according
to an established protocol, as required by 21 CFR 820.70(i). For
example, Section 7.3.5 of Invatec’s Process Validation Procedure
(#PRC/04/07/.00.10), dated October 16, 2012, states,
• “When the manufacturing or test equipment contains software or
firmware that is used to operate the equipment, the software will be
validated for its intended use per PRC/03A/06.00.01.”
• The inspection revealed that the following software-controlled
manufacturing equipment used to process the Amphirion Plus PTA
Catheter was never validated
7
Jabones Pardo S.A.
• Your firm failed to routinely calibrate, inspect, or check according to
a written program designed to assure proper performance and to
maintain adequate written records of calibration checks and
inspections of automatic, mechanical, electronic equipment, or other
types of equipment, including computers, used in the manufacture,
processing, packing, and holding of a drug product (21 CFR
211.68(a)).
• Specifically, your firm failed to establish a validation program for the
computer software Microsoft Dynamics used for production,
inventory, lot number generation, and laboratory test methods used
for raw material, bulk, and finished product test release ………
• In response to this letter, provide your validation plan/protocol for the
Microsoft Dynamics system. Include timelines and a schedule of all
corrections.
8
Posh Chemicals
•
•
•
During the timeframe of March 3-8, 2013 the FDA inspected Posh
Chemicals Private Ltd, Hyderabad, India. A total of three Observations
were received. Of particular note is Observation 1 which is similar to
Observations from several other Warning Letters to include Sandoz and
Cephazone Pharma. The Observation stated:
Failure to protect computerized data from unauthorized access or changes.
Our inspection found that there were no restrictions to access the laboratory
data residing on the workstations attached to your standalone
instrumentation: (b)(4) High Pressure Liquid Chromatographs (HPLCs), the
Fourier Transform Infrared Spectrophotometer (FTIR), the gas
chromatograph (GC) and the drives and portable media used as backups. There was no protection of the data from alteration and deletion and
no audit trails to detect if such alteration or deletion had occurred.
9
Posh Chemicals
•
•
You have stated that you are in the process of purchasing and updating
software to handle these problems. You have also stated that there had
been no misconduct by laboratory personnel. However, our investigator
uncovered misconduct by laboratory personnel (see issue 3 below). Please
provide a detailed summary of your investigations that led to the conclusion
that no misconduct occurred. Also, please provide a description of your
corrections, including system upgrades. This description should be detailed
enough to determine if this deficiency has been addressed.
The Sandoz Warning Letter (August 12, 2008) included the following
Observation which had many similarities
10
Posh Chemicals
•
•
•
•
•
•
•
The uChek app -- which was developed by India-based Biosense Technologies
Private and released in Apple's App Store earlier this year -- allows users to check
levels of blood, protein and other substances in their urine.
The app relies on users -- such as diabetics seeking to check glucose levels -- to dip
test strips in urine and use a smartphone camera to provide the app with an image it
can use to generate automated findings.
The app works with Siemens AG or Bayer AG test strips, which only have received
FDA approval for visual readings by humans.
Details of Inquiry
In a letter to Biosense, FDA said, "Since your app allows a mobile phone to analyze
the dipsticks, the phone and device as a whole functions as an automated strip
reader." The agency added, "When these dipsticks are ready by an automated strip
reader, [they] require new clearance as part of the test system."
The letter also said that Biosense may need to obtain FDA clearance for the entire
uChek app.
According to FDA, "any company intending to promote their device for use in
analyzing, reading, and/or interpreting these dipstick[s] needs to obtain clearance for
the entire urinalysis test system."
11
Regulatory Update
•
•
•
•
•
•
•
•
Personal information for more than four million patients could have been compromised after the July
theft of four computers from a health system in Illinois, Healthcare IT News reports (McCann,
Healthcare IT News, 8/26).
Details of Breach
On July 15, four unencrypted computers -- containing data for more than four million patients -- were
stolen from an Advocate Medical Group administrative building in Park Ridge, Ill.
Kelly Jo Golson -- senior vice president and chief marketing officer at Advocate Health Care -- said
the computers were password-protected but not encrypted (Frost/Wernau, Chicago Tribune, 8/24).
Officials at Advocate Health Care have contacted local authorities, but the computers have not yet
been recovered.
The information contained on the computers included patients':
– Addresses;
– Dates of birth;
– Names; and
– Social Security numbers.
– In addition, the computers contained clinical information, such as:
– Health insurance data; and
– Medical diagnoses and record numbers.
Golson said the health system began sending letters to affected patients on Friday, Aug. 23, offering
a year of credit monitoring at no cost.
Data from HHS indicates that Advocate's breach is the second biggest HIPAA [Health Insurance
12
Portability and Accountability Act] breach ever reported (Healthcare IT News, 8/26).