483
Company: Eli Lilly & Company
City and Sate: Indianapolis, IN
FDA District: Detroit, MI
Dates of Inspection: 1/29-2/9, 21, 22, 23/01
18. SOP #001-001757 “Process Control System Security” is used as a global document to describe the guidelines for maintaining the security of the process control systems and related documents for Parentaeral Products Operations. However, the written procedure does not adequately describe all of the steps and controls that are performed for the DP System’s scurity and computer access. In additon:
a. there is no written procedure to describe the process that is used to assign, maintain, passwords and access levels to the control system.
23. The _ was initially qualified in 1993. Since then there have been multiple additions or modifications in 1996 and 1998. Modificiations or changes include, installing the DPS & CSV system, exchange or an in-house fan, and addition of _ compuer monitoring system. However, there is no written document that describes the current configurations of the air handler unit. In addition:
a. While the individual changes have been reviewed during the change control process, a comprehensive review of all the collective changes has not been performed in order to assure that the initial 1993 I/OQ remains to be valid and to assure that AHU does not require requalification or revalidation.
45. Non-viable particle measurements are taken with the use of a _ Particle Counter. The particle measurements are recorded onto a 3.5″ floppy disk and the data is manually transferred to the firm’s _ computer data base system. The observations are as follows:
a. There has been no formal evaluation performed in order to assure that the measurments that are printed as the permanent record is an accurate reflection of the data that is obtained via 3.5″ floppy disc from the _ Particle Counter.
b. As explained by one of the knowledgeable individuals, when the capacity of the 3.5″ floppy disc is filled, the original electronic data is not retained as a permanent record. Rather, the data on the floppy disc is overwritten and/or deleted in order to obtain the new non-viable particle counts from the various manufacturing areas that include the aspectic filling areas.
c. There is no established written procedure to describe the reuse of the 3.5″ floppy discs.
49. The 1999 and 2000 Deviation Audit Reports do not document the reasons why the following events occurred. The Deviation Audit Reports revealed numerous occasions when personnel failed to:
a. perform the “self-monitoring” during the EM sampling;
b. perform some of the _ EM sampling;
c. enter the EM plate count data into the _ Computer System;
d. locate some of the EM incubated samples; or,
e. locate some of the blue color and analytical task sheets
55. SOP #009138 “GMP Computer Systems and Purchasd Automated Systems in Quality Control Laboratories (FDA-Regulated)” establish validation requirements for GMP computer systems. For example:
a. The firm did not reviewed the software source code which operates the _ Automated Microabial Identifrications Sample Prep Workstation to see if it met their user requirements before installation and operation.
b. The procedure describes establishing a written security policy, maintain an access control roster, and virus protection will be installed. Howver, there is no written security policy, and there is no virus protection installed for the _ AWS.
c. The procedure also describes that _ copies of the archived data will be prepared and the _ copies will be stored in separate secured locations. However, the data taken from the _ AWS is not obtained as established in the procedure.
d. The _ Automated Microbial Identification Sample Prep Workstation is considered GMP equipment and as such generates electronic records which are not backed-up or stored for retrieval. The Operational Qualification document states that…”since reports are printed after each run and attached to the original laboratory data document, no data is stored long term and data security is not an issue…” Data will not be stored on the system long term since analysts will printout and attach copies of reports to their original laboratory documents. Therefore backup and archiving of data is not necessary.”
