lundi 31 octobre 2016

Deux nouvelles injonctions de l'US FDA mentionnent des écarts sur l'intégrité des données...

Pour ce fournisseur d'API tchèque :
1.    Failure to prevent unauthorized access or changes to data, and to provide adequate controls to prevent manipulation and omission of data.

Your quality control unit did not have basic controls to prevent changes to your electronically-stored laboratory data. Your analysts had user privileges to the Empower-2 system used to generate and analyze chromatographic data that allowed them to eliminate failing, atypical and satisfactory results with no notification; alter peak areas; and add or eliminate samples from sequences without authorization...

Your quality unit must review all pertinent analytical data when making batch release decisions. However, your automated system permitted analysts to delete and alter test results without authorization. As a result, your quality unit was presented with incomplete and inaccurate information about the quality of your drugs.

According to your response, you restricted access and permissions in the Empower 2 automated data system. However, your response does not demonstrate how the specific controls you have implemented prevent deletion or alteration of data, nor have you shown how you will ensure that these permissions are documented, implemented, and followed. Finally, you have not shown how these controls ensure that records relied upon for batch release and other quality review decisions are complete and accurate.

2.    Failure to ensure that test procedures are scientifically sound and appropriate to ensure that your API conform to established standards of quality and/or purity.  

Your laboratory procedures allowed analysts to modify chromatographic sequences and delete results with no justification...

According to your response, you scheduled training on manual integration for all analysts who use Empower-2 software. You have not shown how you will ensure that your test methods are appropriate to determine whether your API conform to established standards and specifications.

In response to this letter, provide your action plan for developing, validating, and implementing chromatographic test methods to analyze the quality attributes of your drugs. Specify the procedures you will implement to process your chromatographic data related to all test results and audit trail functionality. Detail how you will review chromatographic results as part of the batch release procedure and documentation. Specify the controls you will implement to ensure that any manual integration steps are performed only under defined, limited circumstances according to a protocol approved and supervised by your quality unit.

Finished Product Violations

1.    Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records or other records (21 CFR 211.68(b)).

For example, our investigator reviewed an audit trail for impurities testing conducted on (b)(4) validation lot (b)(4), number (b)(4) vial # (b)(4), Injections 1 and 2. The audit trail revealed many deleted results and manual integrations.

As discussed above, deleted and altered analytical test results mean that your quality unit is presented with incomplete and inaccurate information about the quality of your drugs.

2.    Your firm failed to establish laboratory controls that include scientifically sound and appropriate specifications, standards, sampling plans, and test procedures designed to assure that components, drug product containers, closures, in-process materials, labeling, and drug products conform to appropriate standards of identity, strength, quality, and purity (21 CFR 211.160(b)).

Your laboratory procedures allowed analysts to modify and delete chromatographic results without adequate justification, and to use manual integration in uncontrolled circumstances...

In your response to this letter, describe all steps you will take to ensure that appropriate laboratory controls have been implemented to support product quality review and batch release decisions. Include the controls you will implement for the modification, deletion, and manual integration of chromatographic test results.
Pour ce fabricant pharmaceutique israélien :
5.    Your firm failed to ensure that laboratory records included complete data derived from all tests necessary to assure compliance with established specifications and standards. (21 CFR 211.194(a))

Our investigators observed colony counts for environmental and personnel monitoring that did not match your official records. For example, one contact plate from a Grade B area had a reported result of (b)(4) CFU, but our investigator counted (b)(4) CFUs on the plate. Five other plates had reported results of (b)(4) CFU, although our investigator counted (b)(4) CFU on each plate.

Inaccurate reporting of environmental and personnel monitoring data undermines your ability to evaluate and maintain a state of control in your aseptic processing operation.

6.    Your firm failed to exercise appropriate controls over computer or related systems to assure that only authorized personnel institute changes in master production and control records, or other records. (21 CFR 211.68(b))

Your stand-alone computer systems lacked controls, such as routine audit trail review and full data retention, to prevent analysts from deleting data. Although you implemented a procedure to begin reviewing audit trails of your high performance liquid chromatography (HPLC) Empower system on January 11, 2016, you had not performed any reviews prior to our inspection. Furthermore, the procedure you implemented on January 11 required (b)(4) random audit trail review (b)(4).

We acknowledge your commitment to strengthening your procedures to assure user access restrictions and implement audit trails for computerized systems. However, simply activating audit trail functions and instituting user controls are insufficient to correct the data integrity problems observed at your facility and to prevent their recurrence. In response to this letter, provide details of your retrospective review of the HPLC and other laboratory data, such as Fourier transform infrared spectroscopy, gas chromatography, UV spectrophotometry, and (b)(4) analyzer data. Indicate the period covered in your review and your rationale for selecting that timeframe.

7.    Your firm failed to follow adequate written procedures for the preparation of master production and control records designed to assure uniformity from batch to batch. (21 CFR 211.186(a)) 

Our investigators found quality-related documents in a waste bin. Among these documents were an incomplete sterility test data sheet, a form used to track the movement of (b)(4) samples, a media fill incubation card, and others. The incomplete sterility test data sheet had been filled out to track information about a “(b)(4)” sterility check. After an error was observed on the original data sheet, the record was torn and discarded with no written explanation.

Plus d'information ici et .

vendredi 7 octobre 2016

Bientôt du Cloud "souverain" avec Amazon et Microsoft...

Salesforce, à l'occasion de l'étape parisienne de son World Tour, a ouvert son datacenter français en juin dernier. En fin de semaine dernière, c'est AWS, le leader mondial du Cloud d'infrastructure, qui a annoncé la localisation des données sur le territoire en 2017.

Dans un communiqué, Microsoft "annonce son intention d’élargir la variété des options Cloud offertes à ses clients en Europe et dans le monde en proposant Microsoft Azure, Office 365, et Dynamics 365 depuis plusieurs datacenters en France."

Pour les administrations françaises, localiser les données en France est une obligation. En outre, différents secteurs comme la banque et l'assurance ont engagé leur transformation numérique et les nouveaux projets tendent à être nativement Cloud. Le régulateur impose toutefois des conditions, dont la localisation sur le territoire pour le Cloud public : "Il ne s'agit pas du tout de limiter les marchés publics à des opérateurs nationaux. N'importe quel prestataire de l'UE peut proposer une offre de Cloud dans la mesure où celle-ci respecte la loi française, c'est-à-dire conserver les archives nationales sur le territoire" détaillait en juillet à ZDNet Claire Sibille de Grimoüard, sous-directeur au sein du service interministériel.

Source :