USFDA 483 / Lupin, Pithampur, India / FEI 3007549629/ Inspection Mar 21 – Mar 29, 2023 / FDA Inspectors – Eileen A Liu, Yvins Dezan / Observation 6,7,8

Observation 6

Failure to requalify the HVAC systems (HEPA) for Building /Unit classified as ISO class 8 as per time interval specified by ISO standard utilized by the Firm, 14644-2:2000 (E).

In the Requalification documents for HVAC system and equipment with HEPA, reports from 3^rd party who performed the requalification is not included. 

Observation 7

Alert limit, Action limit and Acceptance limit are not established for environmental monitoring (EM) of area utilized in filling of bags with raw materials going to manufacturing area; Several cases were observed where EM test results were recorded as Informative and concluded counts are within limits.

Observation 8

The Electronic Logbook (eLog) System V1.0.0 is used for Instrument, Equipment, Area, Operation and Cleaning usage log for Production, Warehouse and Quality control departments. The eLog is not adequately controlled. Service Engineer and System Administrator are assigned same user privileges with rights to set – Security profile, Register new role, Set Global Profile, Register new user, Activate new user account, Set user account status. Register standard reason. Temporary password reset etc.

There is no procedure and practice of documenting Alarms recorded in the data acquisition software during manufacture and packaging operations, their review, investigation, assessment, trending. 

When Buildings and Manufacturing areas are classified and claimed as complying to specific ISO standard (like ISO 8), it should comply the specified requirements including frequency of requalification in line with ISO 14644 standards (Part 1, Part 2 and others). The requalification frequency should be defined and supported by a risk assessment, (typically annual basis).

When Qualification/ Requalification of systems are performed against defined protocols and data recorded in predefined templates, the original supporting data, data print outs from the equipment like particle counters, qualification certificates etc. from third party service provider should be available as annexures to the Protocols & Reports. The service providers involved in the Qualification activity should be approved by the Quality system considering their capabilities and credentials

For Environmental monitoring (EM) in different areas such as Clean Rooms, Laminar Airflow systems (LAFs), Dispensing areas etc. there should be alert limits, action limits and specification limits defined by the company, even if there is no stipulated regulatory requirements and limits. The requirements can be defined as “Informative” in the beginning in data generation phase (say for example 30 or 60 days during commissioning of facility) and further based on the trend and capability of the systems, alert, action and specification limits should be defined. It is not logical to maintain the requirement for Environmental Monitoring -Microbial counts as “Informative” as this beats the purpose of monitoring – emerging trends will be missed, actions missed / delayed as all results will be concluded as complying all the time.

In GxP computerized systems the User privileges for different levels (e.g. System Administrator, Supervisor, User, Service Engineer etc.) should be defined logically. The assignment of user privileges should be defined with the objective of preventing unauthorized changes, loss of data (inadvertent or intentional) and preserving data integrity. It is a good practice to document the rationale for providing the different privileges for different user levels in the User privilege documentation. If the System Administrator and Service provider are provided same access privileges due to system limitations (legacy systems, limited user levels), perform a risk assessment and bring in alternate controls to ensure system integrity is not compromised. Alternate controls could include for e.g. (but not limited to) verification & documentation of changes made after each Service provider login; periodic review of changes in system security / users access privileges, user role settings. However, work out a plan for upgradation of the systems to remove such limitations.

Procedure for Alarms handling should be part of the operational SOP for all GMP critical equipment, systems and instruments which generate alarms. Alarms may be categorized as Critical / Major / Only for alert (information) & actions to be taken against different alarms should be listed. Equipment and systems should ideally have an alarm log with traceability to the activity which generated the alarm. Batch review, Review of the test and results should include a review of the alarm log of equipment’s involved. A print of the alarm log can be taken and reviewed and the same can be filed along with test results; alternatively use an alarm review checklist. Typical alarm review documentation will show there was no abnormal events / alarms or in case of any abnormal critical alarms, the actions that were taken, impact assessment and conclusion. 

• Clean Room Classification related: Review the Clean Room systems and HVAC Qualification procedures. Perform a risk assessment of Clean Rooms and operations performed in different buildings, their Qualification and frequency. Accordingly redefine the Clean room Requalification frequency, documentation requirements and procedure. Take up immediate requalification of the HVAC systems with qualified and approved third party service provider, and document the qualification with all supporting raw data, print outs and certificates from the service providers.
• Review the Environmental Monitoring programme and historical data. Set acceptance limits for EM for different areas based on historical data and capability of the system. Based on the acceptance limits, set alert and action limits.
• Review all Computerized systems for control of User Access privileges. Assess whether the User access privileges provided are for operational requirements of the system and whether they pose any concerns of data loss and data integrity (For e.g is there a rationale for providing access privileges for setting security profile, registration of new roles, password reset etc to Service provider?). Accordingly revise the user access privileges for different roles and document the same with rationale. If different user levels are provided similar user privileges due to system limitations (legacy systems), perform a risk assessment and bring in alternate controls (Refer What Companies should do….), develop a plan for upgrading the systems for overcoming such system limitations with a defined time frame.
• Review and assess all equipment, systems and instruments for alarm generation and type of alarms. Define procedure for documentation and review of alarms, frequency of review of alarms and actions for different type of alarms (Refer discussions under What companies should do..)