Question 5: The German AMWHV (Arzneimittel-und Wirkstoff-Herstellungs-Verordnung) requires that all data be stored in the premises according to the manufacturer's authorization. Is the cloud solution viable? The German EFG (Expert Working Group) 11 interprets the legal basis of this issue as part of the vote on "electronic data storage requirements. Article 20 of the AMWHV states that the documents must be "deposited in the appropriate area of the premises covered by the licence in accordance with the provisions of Article 13, Article 72 or Article 72c(4) of the German Medicinal Code". In the pharmaceutical environment, the trend towards digitization and the replacement of paper documents with electronic records (e-records) is steadily increasing. At the same time, multinational companies are introducing computerized systems as client/server solutions worldwide. This involves enterprise resource planning (ERP) systems, manufacturing execution systems (MES), laboratory information and management systems (LIMS), as well as change systems, CAPA and training management systems. In recent years, outsourcing some or all of IT and computer-based systems to third parties in favor of various cloud service models: Infrastructure as a Service (IAAS), Platform as a Service (PAAS) and Software as a Service (SAAS), the latter as a service model is becoming increasingly common. As far as electronic documents are concerned, if there is at least one terminal (such as a terminal or PC plus a printer) in the room covered by the permit, it meets the requirements for storing electronic records/documents in the room covered by the permit in accordance with Article 13, Article 72 or Article 72c(4) of the German Drug Act so that all data and metadata can be accessed, A readable printout and copy can be generated on the data carrier. Similarly, service providers (internal or external) must meet requirements for IT infrastructure (IAAS, PAAS), application validation (SAAS) and ensuring availability, readability and integrity. Question 6: Do common certifications (such as 27000ff) reliably prove that the cloud service provider is suitable, or what requirements must the certification meet to play a role in the applicability of the CSP? The fact that suppliers and service providers must have a quality assurance system stems from the EU-GMP Appendix 11:3.4 Inspectors shall be provided with quality system and audit information on the supplier or developer of the software and systems used upon request. It is not possible to determine from Appendix 11 what kind of quality system it should be. However, Germany's EFG 11 commented on the issue in its Votum V1100202 "Requirements for the retention of electronic data. It states: In the following, the requirements for CSP quality and data integrity (for dynamic and static data) are formulated. These requirements are not clearly found in the EU GMP guidelines in this way, but are considered from the perspective of EFG 11. Reasonable: n CSPs that handle confidential data or data with high availability requirements must have a certified ISMS (for example, according to DIN 27001). However, it remains to be seen whether this can be enforced from a legal point of view. Question 7: Can we assume that if an appropriate QMS is implemented and the CSP's behavior conforms to the QMS (as a result of the audit), the service functions and operation controls provided according to the specification are carried out in accordance with the CSP's internal procedures? According to Appendix 11, the use of a computerized system does not result in a reduction in quality assurance. The evaluation of the service provider includes an evaluation of its quality assurance system. In addition to this initial assessment, Chapter 7 also requires RUs (Regulated Users) to continuously monitor the service provider by monitoring KPIs. In the case of application and an appropriate quality management system, it can be assumed that the operational controls defined in the quality management system will be implemented, and the results of non-compliance with the specification will be resolved within the meaning of deviation/OOS. However, RUs (Regulated Users) need to continuously assess compliance when implementing QMS. Chapter 7 of the EU Guidelines for Good Manufacturing Practices states that "the contract maker is ultimately responsible for ensuring that processes are in place to ensure control over the outsourced activities". The type and scope can be defined in terms of risk, and they are influenced by the service provider's experience of continuous monitoring. Question 8: What must be covered by the change control of the service provider and how must the contractor be included in the system? Although the responsibility for patient safety, product quality and data integrity of regulated companies cannot be delegated to cloud service providers (CSPs), CSPs still play an important role and take over important tasks such as specification, verification and change documentation (in addition to implementation), whether in the infrastructure (IaaS), platform (PaaS), or application (SaaS) itself. One of the goals of regulated companies is to maintain the verification and compliance status of the system. This requires appropriate verification measures (impact analysis, risk assessment, and further testing and documentation activities, if applicable), which usually require knowledge of the changes implemented by or at the CSP. Therefore, the following elements of the proof-of-concept are recommended: n The regulated company verifies that the CSP has established a high-quality and compliant change control process (e. g. through audits). n Service level agreements (SLAs) ensure that information (and documentation) on plans and required changes are available on time to the extent necessary, enabling regulated companies to conduct (risk) assessments and plan required actions as appropriate.

DST teacher recently in the audit process, found that some customers of the sampling work by the QA to be responsible for, some pharmaceutical companies by the QC sampling, so who is responsible for the sampling, who is responsible for the authorization is appropriate? Today we will come to discuss the issue of sampling, let us start from the regulations, look at the relevant provisions. NMPA 2010 version of GMP Article 12 of the basic requirements for quality control: (III), authorized personnel shall take samples of raw and auxiliary materials, packaging materials, intermediate products, products to be packaged and finished products in accordance with the prescribed methods. NMPA 2010 GMP Article 222 Sampling shall at least meet the following requirements: Personnel of the (I) Quality Management Department have the right to enter the production area and storage area for sampling and investigation; The (II) shall be sampled in accordance with approved operating procedures, which shall specify in detail: 1. Authorized samplers;...... FDA 21CFR Part211 Sec. 211.42 Design and construction features-Design and Build Requirements (c)(1) Receipt, identification, storage, and withholding from use of components, drug product containers, closures, and labeling, pending the appropriate sampling, testing examination by the quality control unit before release for manufacturing or packaging. Before release to production or packaging, the quality control department shall adopt appropriate sampling methods and testing to receive, identify, store and disable raw and auxiliary materials, drug containers, seals and labels. EU GMP: Quality Control Quality Control 1.9 Quality Control is that part of Good Manufacturing Practice which is concerned with sampling, specifications and testing, and with the organization, documentation and released for use, nor products released for sale or supply, until their quality has been justed to be satisfactory. The basic requirements of Quality Control are that: Quality control is part of GMP, this involves sampling, quality standards, inspection, as well as organization, documentation and release procedures to ensure that the necessary relevant inspections are carried out and that the material or product is not released for use or sale until it is judged to meet the requirements. The basic requirements for quality control are: (ⅰ) Adequate facilities, trained personnel and approved procedures are available for sampling and testing starting materials, packaging materials, intermediate, bulk, and finished products, and where appropriate for monitoring environmental conditions for monitoring for GMP purposes; Adequate facilities, trained personnel and approved procedures for sampling and inspection of starting materials, packaging materials, intermediates, semi-finished products and finished products, as well as environmental monitoring required by GMP; (ⅱ) Samples of starting materials, packaging materials,intermediate products, bulk products and finished products are taken by approved personnel and methods. Sampling of starting materials, packaging materials, intermediate products, semi-finished products and finished products by approved personnel according to approved methods. 6.4 Quality Control personnel should have access to production areas for sampling and investigation as appropriate. Quality control personnel should have access to the production area for sampling and investigation. PIC/S GMP 2.8 The head of Quality Control generally has the following responsibilities: The Quality Control Responsible generally has the following responsibilities: (ⅲ) To ensure that all necessary testing is carried out and the associated records evaluated. Approve quality standards, sampling methods, inspection methods and other quality control procedures. 6.2 The Quality Control Department as a whole will also have other duties,such as to establish,validate and implement all quality control procedures,oversee the control of the reference and/or retention samples of materials and products when applicable,ensure the correct labeling of containers of materials and products,ensure the monitoring of the stability of the products,participate in the investigation of complaints related to the quality of the product, etc. All these operations should be carried out in accordance with written procedures and, where necessary, recorded. The entire Quality Control Department will also have other responsibilities, such as establishing, verifying and implementing all quality control procedures, supervising the control of reference and/or retention of materials and products, ensuring correct labeling of materials and product containers, ensuring product stability inspections, and participating in product quality related complaints investigations. 6.4 Quality Control personnel should have access to production areas for sampling and investigation as appropriate. Quality control personnel shall have access to the production area for sampling and investigation. WHO GMP 17.3 Each manufacturer should have a QC function. The QC function should be independent of other departments and under the authority of a person with appropriate qualification and experience. Adequate resources must be available to ensure that all the QC arrangements are effectively and reliably carried out. The basic requirements for QC are as follows: Each manufacturer should have a quality control department. The quality control department should be independent of other departments and managed by personnel with appropriate qualifications and experience. Adequate resources must be provided to ensure the effective and reliable implementation of all quality control tasks. The basic requirements for the quality control department are as follows: (a)Adequate facilities, trained personnel and approved procedures must be available for sampling, inspecting, and testing materials, packaging materials, and intermediate, bulk, and finished products, and where appropriate for monitoring environmental conditions for GMP purposes; Adequate facilities, trained personnel and approved procedures should be available to sample, review and test raw materials, packaging materials, intermediates, products to be packaged and finished products, and monitor environmental conditions as appropriate to meet GMP requirements; (B )Samples of starting materials, packaging materials, intermediate products, bulk products and finished products must be Quality Control departments approved personnel. The sampling of raw materials, packaging materials, intermediates, products to be packaged and finished products must be completed by personnel approved by the quality control department according to the specified sampling method. To sum up, in addition to China's 2010 version of GMP regulations, which are sampled by the quality management department (QA or QC), the regulations of other major regulatory agencies are more likely to be done by the quality control department, including sampling for environmental monitoring. From the perspective of QA, QA personnel are responsible for the supervision and maintenance of the whole quality management system. QA sampling can better ensure that the sampling process conforms to established procedures and specifications, and that sampling is representative and fair. QA has the advantage of overall planning and coordination of sampling, and can grasp the timing, frequency and method of sampling from the macro level to ensure the accuracy of subsequent quality assessment. They pay more attention to the compliance of the process and the guarantee of the quality system. However, QC personnel also have a unique expertise in sampling. QC mainly focuses on the specific detection and analysis of samples, and they have a deep understanding and mastery of sampling techniques and requirements. QC sampling can accurately obtain the required samples according to the detection purpose and method, and ensure the reliability of the detection results. QC excels in the detailed operation of sampling and in the targeting of specific test items. In fact, whether it is QA sampling or QC sampling, the goal is to meet the strict requirements of GMP. Ideally, the two should work closely together to form a synergy. QA ensures the standardization and comprehensiveness of sampling, while QC ensures the professionalism and accuracy of sampling. In a perfect quality management system of pharmaceutical enterprises, the responsibilities and authorities of QA and QC in sampling work should be clearly defined, and a clear workflow and communication mechanism should be established. Only in this way can the reliability and stability of product quality be improved to the greatest extent while ensuring that the sampling meets the GMP requirements.

Recently, I launched an article on writing a deviation survey. I received feedback from some readers and wanted to know something about the definition, management and process of deviation events. So this time, I will talk about deviation management and process first. To manage a survey well, in addition to a good management process, you also need to learn how to manage it effectively. Here are some insights from the DST team. Definition of deviation: First of all, how to define deviation, what is the case of deviation, effective deviation management is based on effective, sufficient to control the production process and drug quality procedures or standards. Without pre-defined rules, there will be no bias. For example, an enterprise's definition of deviation: deviation refers to any deviation from approved procedures (guidance documents) or standards. Including any abnormal conditions related to product quality, such as abnormal storage of materials and products, equipment failure, excessive verification results, excessive environmental monitoring results, excessive or abnormal verification results of analysis methods, customer complaints, etc., as well as accidents or deviations that do not conform to drug-related laws and regulations or approved standards, procedures and instructions. Identification of deviations: With the definition of deviation as the basis, then the identification is the starting point of the deviation processing activity. Identification ability depends on all drug production quality related personnel, and those personnel need to go through the corresponding deviation management training, understand the concept of deviation and have the ability to identify deviation, which is linked to the usual training, experience accumulation and personal ability. Deviation recording and reporting supervisor: When personnel identify deviations or abnormal situations, they should fill in relevant records in time. Therefore, the design of GMP records (such as batch production records, log files, etc.) should be able to keep a certain position to record various deviations or abnormal situations, so as to ensure that relevant personnel can conveniently record any deviation in production quality activities in time and ensure the traceability of deviation investigation and treatment process. At the same time of filling in the records, they should also report to the superior immediately, explaining the time, place, person, what things or processes, etc. Based on the description of the reporting person, the supervisor determines whether urgent measures need to be taken to prevent the deviation from expanding or worsening. Common emergency measures include: suspension of production; Material or product isolation; Suspension of equipment; Emergency shelter, etc. All emergency actions performed must be recorded in a timely and complete manner in the deviation record. Report to quality management department; In the event of a deviation, the head of the department or his authorized personnel shall immediately provide true and comprehensive deviation information to the quality management department. Whether to report to the quality management department immediately is a prerequisite for the quality management department to effectively classify deviations and conduct deviation investigations in conjunction with other departments. Classification and assessment of deviations: Classify the deviations according to their nature, extent and potential impact on product quality (e. g. major, moderate, minor). For major deviations, such deviations may have serious consequences on product quality, safety or effectiveness, product image, product expiration date, etc., or may lead to product scrapping, finished product recall, and it is also necessary to consider whether additional inspection is required. Such deviations must be investigated in depth to identify the root cause, and in addition to corrective action must be taken, long-term preventive measures must be established and stability studies of products involving significant deviations must be conducted. Investigation and handling of deviations: Investigation and analysis shall be carried out in accordance with the prescribed procedures to find out the root cause of deviation. Common root cause analysis methods include brainstorming method, fish bone method, 5Why method, etc., and corrective and preventive measures CAPA shall be formulated. In principle, the CAPA formulated shall be implemented and rectified only after approval by the quality department. The deviation investigation report shall be reviewed and signed by the quality management department. Correction and Prevention of Deviations CAPA: The corrective and preventive action CAPA for deviation shall be implemented to ensure that the measures are reasonable, effective and timely. If the CAPA developed is continuous or cannot be completed in the short term, the deviation can be closed first, provided that the product quality is not affected, but additional records are required for tracking and regular review. For deviations that are not closed within the specified time limit, a periodic report should be drafted to explain the progress of the investigation, develop necessary short-term actions, assess potential risks, and apply for and obtain the approval of the quality department before extension. Review and evaluation of deviations: Enterprises should regularly review and evaluate deviations, especially in the review to pay attention to whether there is a repeat of the same type of deviation, which may lead to the failure of the deviation system, the need to develop effective preventive measures. Deviation Record Filing: Relevant records and reports shall be filed and kept in a timely manner, and the enterprise shall clearly specify the responsibilities, methods and retention periods for deviation investigation, handling documents and record keeping. The preservation method should ensure traceability with related products, easy to find and can be quickly provided in internal and external audits. Knock on the blackboard: The main concerns of deviation management are as follows: Whether the established deviation management procedure defines the responsibilities and authority of each department and personnel in the deviation handling process; Whether the relevant personnel of production quality activities are trained in deviation management procedures, understand the concept of deviation and have the ability to identify deviation; If the deviation needs to be reported to the competent personnel and the quality management department immediately, then whether the deviation procedure clearly stipulates what is "immediate" and whether the specified time limit is reasonable; Whether the deviation classification standard is reasonable, whether the deviation classification is carried out by the quality management department, and whether the classification judgment of specific deviation is appropriate; Whether the root cause investigation of deviation is timely, comprehensive and thorough, whether the investigation and handling of major deviation is conducted by the quality management department in conjunction with other departments, whether the root cause cannot be identified is common, and whether the identified root cause is reasonable; Deviation impact assessment, including the impact on product quality and the impact on the quality management system, whether the appropriate product disposal can ensure the safety, effectiveness and quality control of the drug; Whether the corrective measures for deviation are effectively implemented and tracked; Whether corrective and preventive measures for similar deviations are effectively implemented and tracked; Whether the same or similar deviations occur repeatedly. The above process ensures that deviations are properly managed and prevents future deviations from occurring. What else do you want to know, question or suggestion? Please leave a message in the comment area below.

DST: For EU GMP sampling, item-by-item sampling identification is expensive for enterprises and is not easy to control, so how to control in the actual implementation process to meet the sampling requirements for materials: EudraLex - Volume 4 - Good Manufacturing Practice (GMP) guidelinesChapter 5 - Production EudraLex-Volume 4-Good Manufacturing Practice (GMP) Guide Chapter 5-Production 5.35 Manufacturers of finished products are responsible for any testing of starting materials2 as described in the marketing authorisation dossier. They can utilise partial or full test results from the approved starting material manufacturer but must, as a minimum, perform identification testing3 of each batch according to Annex 8. The manufacturer of the 5.35 finished product is responsible for any testing of the starting materials described in the marketing authorization file. They may use some or all of the test results of an approved manufacturer of the starting material, but must at least perform the qualification test for each batch in accordance with Appendix 8. EudraLex - Volume 4 - Good Manufacturing Practice (GMP) guidelines ANNEX 8 SAMPLING OF STARTING AND PACKAGING MATERIALS EudraLex-Volume 4-Good Manufacturing Practice (GMP) Guidelines APPENDIX 8 SAMPLING OF START MATERIALS AND PACKAGING MATERIALS Starting materials Starting Material 2.The identity of a complete batch of starting materials can normally only be ensured if individual samples are taken from all the containers and an identity test performed on each sample. It is permissible to sample only a proportion of the containers where a validated procedure has been established to ensure that no single container of starting material has been incorrectly labelled. In general, the identity of the complete batch of starting material can only be ensured by taking a single sample from all containers and performing an identity test on each sample. Sampling of only a subset of containers for which verification procedures have been established is permitted to ensure that no individual containers are incorrectly labeled with the starting material. DST: The verification procedure is mentioned here. Does the material supplier also need verification? Let's see what the verification requires: 3.This validation should take account of at least the following aspects: This verification should consider at least the following aspects: -the nature and status of the manufacturer and of the supplier and their understanding of the GMP requirements of the Pharmaceutical Industry; the nature and status of manufacturers and suppliers and their understanding of GMP requirements in the pharmaceutical industry; -the Quality Assurance system of the manufacturer of the starting material; -the manufacturing conditions under which the starting material is produced and controlled; production and control of the manufacturing conditions of starting materials; -the nature of the starting material and the medicinal products in which it will be used. The nature of the starting material and the nature of the medicinal product with which it will be used. Under such a system, it is possible that a validated procedure exempting identity testing of each incoming container of starting material could be accepted for: Under such a system, a verified procedure can be accepted to exempt each raw material container from identity testing: -starting materials coming from a single product manufacturer or plant; starting material from a single product manufacturer or plant; -starting materials coming directly from a manufacturer or in the manufacturer's sealed container where there is a history of reliability and regular audits of the manufacturer's Quality Assurance system are conducted by the purchaser (the manufacturer of the medicinal product) or by an officially accredited body. Starting materials directly from the manufacturer or sealed containers with a history of reliability by the manufacturer are subject to periodic audits of the manufacturer's quality assurance system by the buyer (pharmaceutical manufacturer) or an officially recognized body. It is improbable that a procedure could be satisfactorily validated for: The program is unlikely to be satisfactorily validated in: -starting materials supplied by intermediaries such as brokers where the source of manufacture is unknown or not audited; -starting materials for use in parenteral products. The starting material used to inject the product. In view of the above, it can be concluded that according to the GMP guidelines in Volume 4 of EudraLex, the following requirements are required for sampling and identification of starting materials: 1. For the contents of each raw material container, appropriate procedures or measures should be established to ensure its identity. Samples taken from bulk containers shall be identified. 2. The manufacturer of the finished product is responsible for testing the starting material. Some or all of the test results of the approved starting material manufacturer may be used, but at least each batch must be subject to qualification testing. 3. Sampling procedures for starting materials should be validated, taking into account the nature and status of the manufacturer and supplier, the quality assurance system, production conditions, and the nature of the starting material and the nature of the pharmaceutical product to be used. 4. For starting materials from a single product manufacturer or factory, or starting materials directly provided by the manufacturer and with a reliability history, the identity test of each raw material container can be exempted through the verification procedure. 5. Procedures are unlikely to be satisfactorily validated for starting materials provided by brokers or for injection of products. DST: In addition to the starting materials for injection, we can develop different sampling strategies for our suppliers of starting materials through the verification procedure provided in Appendix 8. If the supplier meets the requirements of the verification procedure, it is not necessary to sample each piece.

Recently, Tieguai Liu attended the Guangdong Southern Medicine Summit Forum and had the honor to listen to a speech by the leaders of the Drug Administration. He learned that there are now more than 160 B certificates for drug production licenses in Guangdong Province. The advancement of the new version of the "Drug Administration Law" has indeed increased the enthusiasm of various institutions to obtain a B certificate for drug production licenses. It seems that as a research and development institution, if it does not obtain a B certificate, it will feel like it has no face. Recently, more and more enterprises, including drug sales enterprises, are also ready to move. As the owner of the B certificate, there is indeed a great advantage. Through obtaining approval documents through the organization, looking for a manufacturer to quote and manufacture drugs, the whole process is simple and perfect, and you can enjoy the fast track of centralized procurement and obtain a huge market opportunity. When something really goes wrong, B- card companies are asset-light and almost "zero risk" for investment bosses ". At present, the drug administration department is gradually showing anxiety about the management of entrusted production MAH. For so many MAH enterprises and enterprises with C certificates, how to manage and control them in case of problems. The licensing office of the provincial bureau also revealed difficulties. Indeed, these B- card enterprises are like guerrillas one by one. They do not even have their own places (most of which are leased). Their ability to release and supervise products is far from that of traditional A- card or C- card enterprises. In order to obtain the certificate, some enterprises choose the quality authorized person, the person in charge of production and the person in charge of drug alert because of the cost of the enterprise and other reasons, some can not be full-time, some lack of ability, through the way of resume optimization of experience "beautification treatment" and so on, will pose risks to the final quality supervision of drugs. Some new information recently obtained also shows that the drug administration department will strictly control the number of B certificates and at the same time control the issuance of C certificates. C card is a certificate that can be entrusted, but enterprises with C card can also produce their own. If a C- card enterprise does not have the experience of A- card, and the product is originally in the pilot stage, "factory release" is given to B- card enterprise for pilot or clinical use, and the team of B- card enterprise lacks the ability or is forced to release it to the market by "other factors", this management will indeed bring great risks. Another regulatory risk is that the B- card and C- card enterprises are often not in the same province, and this is also the case in several cases currently done by Tieguai Liu, almost all of which are cross-provincial cooperation. Even if a B- card project is encountered at the same time for multiple C- card enterprises, but these enterprises are not in the same province, then as a regulator, it is also very headache. Whether it is the local supervision of C certificate or the local supervision of B certificate. The monk is on one side and the temple is on the other. The monk is not under the control of this temple, so you can't catch the monk if you seize the temple. Seize the monk, the temple also does not necessarily compensate you. Because the monk had no money, the temple was not responsible for the problems that the traveling monk broke out outside. As for the development direction of the laws and regulations, Tieguai Liu thinks: Certificate B will become more and more difficult, and Certificate C is not CDMO or CMO for every enterprise to be CDMO. CMDO or CMO enterprises have A certificate of experience will be an inevitable trend. The following is an introduction to Certificate A, Certificate B and Certificate C, which are collected free of charge by interested partners. Article 77 of the Measures for the Supervision and Administration of Drug Production, capital letters are used to classify drug marketing license holders and product types: A represents drug marketing license holders produced by themselves, B represents drug marketing license holders entrusted to produce, C represents drug manufacturers entrusted, and D represents drug manufacturers. Lowercase letters are used to distinguish preparation attributes: H represents chemical drugs, z represents proprietary Chinese medicines, s represents biological products, d represents in vitro diagnostic reagents managed by drugs, y represents Chinese herbal pieces, q represents medical gases, t represents special drugs, and x represents others. A certificate of drug production license: A represents the holder of the drug marketing license produced by himself, and the approval document owner and the manufacturer are the same. Engaging in pharmaceutical production activities shall be approved by the pharmaceutical supervisory and administrative department of the people's government of the province, autonomous region, or municipality directly under the Central Government where it is located, and a pharmaceutical production license shall be obtained. Without a drug production license, no drug may be produced. Drug production license B: B represents the drug marketing license holder entrusted with production. B card enterprises are different from pharmaceutical production enterprises. They do not engage in pharmaceutical production and need to commission production. The Marketing Authorization Holder (MAH) shall also apply for the Pharmaceutical Production License B in accordance with the regulations. Drug Production License C: Drug Production License C represents an enterprise that accepts the entrustment of the owner of the drug approval document (I. e. the drug marketing license holder) to produce this variety of drugs. No matter whether the production enterprise has obtained the certificate or not, it needs to obtain the C certificate when accepting the entrusted production activities, and the certificate cannot replace it. Drug production license D certificate: API manufacturers need to obtain D certificate before engaging in API production. From the perspective of parallel four certificates, it seems that they have rejected the MAH system of API that has been controversial before.

I believe that no pharmaceutical company will want to receive a Warning Letter from FDA. based on past FDA inspection experience and reading FDA warning letters over the years, colleagues of the Durst team have summed up the following key contents of the warning letter for the reference of pharmaceutical colleagues. from the key contents of the FDA warning letter, we can see the defects that are easy to occur in the FDA inspection process, which is convenient for pharmaceutical colleagues to avoid the same mistakes in their work.

The customer's November 2023 FDA PAI inspection was also the third FDA inspection of the project Tieguai Liu did this year. In September, Tieguai Liu also went through an FDA PAI inspection, which was aimed at the bulk drug project. This inspection involves more difficulty. The inspection involves production lines including: sterile bulk drug production workshop, sterile preparation (non-final sterilization) B A product production workshop, and the products are highly active products. Tieguai Liu has always been a fan of challenging inspections, especially when it comes to difficult inspections of non-final sterile injections. Durst DST has helped Sichuan's enterprise to do the overall quality system audit and verification audit many times in 2021 and 2022, and the basic regular pits involving FDA's six major systems have been smoothed out. In 2022, customers once set aside the president's office as a conference room for Durst DST's team as a special FDA inspection conference room, in which drinks and snacks are provided. Here again thank the customer up and down the team to provide us with the perfect on-site office conditions. I vaguely remember that three days before the inspection, I worked with their verification manager and production partners to do more than 2:00 a.m. to help them make a key verification. The results were approved by the prosecutor on the first day of the inspection. In July 2022, the perfect first world war was completed. In the end, there are only two minor defects. The inspector even directly announced in my opinion at Ending Meeting that you can pass. However, in the end, I waited for a few months for the EIR report, but everything was Perfect. During this inspection, Tieguai Liu also became friends with the prosecutor. We were supposed to have a party in Beijing in November, but Tieguai Liu had to postpone it because of his foot injury. The DST team was also approved by the prosecutors and customers. In 2023, friendly cooperation will enable us to start new cooperation. We have arranged relevant senior experts to systematically diagnose the customer's QC, the whole process of this product-related process, cleaning and production, helping the customer to pull out all the key risks. Even if the risks cannot be solved, our small partners will have some prevention in advance. It is not convenient to elaborate on the specific details here (confidentiality agreement related). In fact, the iron turn Liu is a bit wordy. It is estimated that after the leg was injured, it became wordy. We do international projects-the biggest advantage of products going to sea for Tieguai Liu is that we do it right, foreign prosecutors will recognize, praise, and let our customers pass. This is the biggest motivation for Tieguai Liu to insist on consulting this industry. Enterprises do not need to fight too much interpersonal relationships, spend a lot of money or too much energy to deal with government relations. This can also be seen in Fun 1 below. Now I 'd like to share with you all the interesting things during the FDA inspection. Fun One: "Simple reception", "Reject people from thousands of miles", dining is not an easy thing. In fact, the reception is never simple, especially for the inspection of the fate of life and death of the enterprise. We are worried that we are not doing well and let the prosecutor pick a bone in the egg. What is the sentence that said? "You make me unhappy, and I also make you unhappy". There are not so many moths to check this abroad. This time the prosecutor is a woman. In fact, she was also a woman during the inspection in September. Maybe she ran into it this time. It didn't go well for this reception, Zhenzhen. The prosecutor comes from a city in the southern United States, where the climate is like Guangdong and Fujian. Let's guess which city. But the prosecutor is very afraid of the heat. In fact, the local weather during the inspection was really good, probably at 18-25 ℃. In the afternoon after receiving the inspector, the outdoor temperature was 22 ℃. In this case, the weather had turned cold. It is also understandable that star-rated hotels in the mainland (hotels chosen by the prosecutor himself) do not provide central air-conditioning refrigeration. As a result, the prosecutor lived on the top floor and felt hot when entering (estimated to have different physiques), so he could only change one floor. But the result was even worse. On the second and third days, the inspector found that the ground was leaking. It was really a disaster, and the key could not be solved. This sudden accident made the prosecutor very unhappy, but he has already moved home once. The prosecutor really doesn't want to move again, because he doesn't know if there will be other "moths" in the end of moving again ". Every time there is a water leak on the ground, only clean elder sister can handle it. After two days to the third day, after unremitting communication, the hotel decided to turn on the refrigeration. However, the prosecutor can only be depressed. In the next few days, the temperature finally dropped! Although the living was not satisfactory, the prosecutor did not take this out on the enterprise. This point we very much for the foreigner's civil service dedication thumbs up! In addition, for simple activities or outings arranged by the enterprise, including accommodation, meals, all AA, and even small gifts to the prosecutor (only as friendly letters), the prosecutor refused one by one. The prosecutor stayed in the area for 10 days. Except for a formal dinner with everyone in the middle, the other dinners were all done by himself. We are still a little worried about this. But this period of time has been iron turn Liu lucky enough to have been with the prosecutor 7 days lunch this big meal. For this inspection, I was a little worried at the beginning, especially when there were several findings in the process, which were considered to be relatively risky. Tieguai Liu and the customer made a rectification plan during the inspection. During the inspection, the inspector said that some defects were written down anyway. At that time, there were indeed great worries. I thought to myself that the prosecutor was not living well, eating well, and would not attend the big meal. I don't know what will happen, it seems that everyone is worried about unnecessary. Because in mid-December, last Friday to be exact, the mail received was already passed! Not an easy meal. The prosecutor is not willing to have dinner with many people. Apart from the first day when the boss and Liu 7 people with big heads, I was accompanied by two other partners for the rest of the days. For what to eat, it doesn't matter, the biggest relationship with who to eat. Many Chinese don't like humor. Actually, I'm not good at it either. But Bo world of mortals smile, still need. Before eating every day, I will think about many Topics. For female prosecutors, I actually have more pressure. The elder sister herself doesn't talk much. A good topic is often important. Otherwise, everyone will stare at each other with small eyes. Fortunately, this iron crutch Liu has some experience and can amuse the little-talked prosecutor with our two food lovers every day. Even this American silver-haired elder sister (her hair is all white), who was said to be reluctant to take pictures of other enterprises before, took a picture with us. Moreover, Tieguai Liu found that the period was Thanksgiving Day in the United States. We also prepared a simple Thanksgiving lunch for the inspection teacher. The customer's administration was very good. I gave some advice to the administration based on my poor understanding of American culture. During Thanksgiving, although it is not luxurious, I believe it is also worth remembering that someone in a foreign country can spend a big festival with him. This time, it is rare for this inspector to drink our white wine (white wine). Fun two: "armed to the teeth of secrecy". During the inspection, the prosecutor kept himself very secret, even more than we thought. In the iron turn Liu get some new information, the relationship between the United States and China is not very good, do not rule out in the pharmaceutical industry to China more stringent "means". This is the news that has been spreading outside. I believe this possibility cannot be ruled out. For example, this seems to be reflected in this inspection. I am also an accompanying expert for the FDA inspection in 2022. The prosecutor can let us take pictures of the contents of his notebook to find information, this time not at all. Even if someone is on her side, she will deliberately put the notebook in a more partial position, so that the neck of the person who wants to peek is bent into a "duck neck", at least it is also a giraffe! If this time the prosecutor caught, it would be a capital embarrassment! As for the interesting story of confidentiality, here are two examples. The prosecutor checks in the office or on the spot, and the prosecutor always takes the book with him. So that in the office, when I went to the toilet, I saw her casually take the notebook into the bathroom. At noon, when she goes to the scene, she will put away all her things and use the zipper with lock to lock every zipper of the backpack! The prosecutor only needs to turn on the computer and put on the anti-candid film before turning on the computer! (Tieguai Liu did not dare to shoot directly, for fear of being driven out. However, there is really this thing on a treasure!) Fun three: the prosecutor "disturbed the rhythm", "a diversion"! Let you never know what her next move is, unable to prepare. The prosecutor did not follow the routine at all. For example, she asked for a lot of documents. Well, you plan to follow the order and provide some documents that you are very sure. She doesn't look at what she has provided in the past. First of all, these documents are what she wants, for example, in the morning. So, she's the only one who orders soldiers. In fact, in terms of inspection strategy, this is indeed much better than the EU inspection, and it also gives the people being inspected a lot of headaches. Not only is your document too late to plan the order well, for the SME experts being inspected, it becomes an unprepared adventure. It seems that when you were sleeping very hard, the other party suddenly cut you. You have no mental preparation. Even at the back, we joked to our friends in the war room that you would send the information you did not prepare so well to the prosecutor! There are a few information, you also don't say is really useful! For such a strategy, we only have to stabilize our position, speed without chaos, SME experts must be nearby, otherwise we cannot arrive in time, resulting in the situation of prosecutors and so on. Fun four: prosecutors "duplicity", enterprises should be firm! The prosecutor almost talked about it several times during the inspection, and I did not accept some rectification. At that time, my heart was very cool. We all know that the FDA inspection in the United States is not just a matter of the "master" at the scene. They will give the information to the inspection and evaluation center and will have a "final account". This is the most horrible thing. I have listed these defects for you and will not tell you the level. You can do it at your own discretion! Therefore, the 483 defect items given by FDA have no minor defects in our enterprise's rectification strategy. The enterprise should deal with the defect level of Major at the lowest, otherwise, will you be at ease in your heart? Haha, Tieguai Liu will give you a "torture of the soul", please be the person in charge of the enterprise, the chairman of the board, the person in charge of production and the person in charge of quality. During the inspection, the inspector emphasized that even if we rectify it, some defects will still be recorded. However, in fact, as long as the rectification items we make are convincing enough, many Finding will still be released. Therefore, if your inspector says so, you still insist on the rectification and make rectification during the inspection. Of course, if the CAPA of the rectification is effective, ha! Fun 5: "Weak water is 3,000, only take a ladle of water". It's the same analogy that Tieguai Liu often makes. The biggest difference between our foreign inspections and those at home is that they are very objective and only want to reach the depth. Do not seek the breadth of the inspection, do not seek to be comprehensive. The inspection was almost the last day, and it was found that there were still more than n things that had not been read, including the documents for several days in front of them, and even the whole QC documents had not been remembered and read. However, we need to remind the inspector every day: our documents are ready, you can check them at any time, and the preparation of documents on the spot really requires the relevant personnel to cheer up. Finally, the prosecutor will still give an evaluation of the results of the inspection. Considering the large amount of content, Tieguai Liu has been updated here and will continue to be updated in the next issue.....

Question 1: What does Iaas/PaaS/SaaS/XaaS mean? IaaS, PaaS, and SaaS are abbreviations and different tiers (or service models) of various cloud service provider (CSP) offerings. "AaS" always stands for "as a service". In XaaS, X is a placeholder for I, P, or S, representing infrastructure, platform, or software. Sometimes, XaaS is also referred to as "Anything as a Service" or "Everything as a Service" and can have very specific characteristics, such as "high performance computing as a service (HPCaaS)" or "artificial intelligence as a service (AIaaS)". The CSP provides various services and benefits based on the basic service model, and the tasks to be performed may vary accordingly, as shown in the following table: n For computerized systems or applications that traditionally run locally, the regulated company (or its IT department or IT service provider, if outsourced) is responsible for all tasks related to computerized system verification (CSV). nIaaS: If the infrastructure is provided and managed by a CSP, the model is called IaaS. Here, the tasks and responsibilities of the regulated company begin with the installation of the operating system. n At the next level, the CSP takes over the installation and operation of the infrastructure and operating system. A regulated company is involved in the configuration of the runtime environment. nSaaS: For this model, the CSP provides and operates the configuration of the runtime environment and applications on top of the infrastructure and operating system. In other words, the activity shifts from the user (the regulated company as the customer) to the cloud service provider (vendor). However, the responsibility for the verification and operation of the application and all related topics such as data integrity, data privacy, data security, etc. remains with the regulated company. Question 2: What are the cloud models and what are their applications in a GxP environment? Basically, there is no uniform specification for the classification of cloud models. NIST (National Institute of Standards and Technology) has developed a so-called "deployment model", which describes a widely used classification (The NIST Definition of Cloud Computing,Special Publication 800-145, September. 2011): n Private cloud: In a private cloud, the cloud infrastructure is run by only one organization. It can be organized and managed by the institution itself or by a third party, and can be located in the institution's own data center or in a third-party institution. Public cloud: We call it a public cloud if the service can be used by the public or a large group (e. g., an entire industry sector); these services are provided by the corresponding cloud service provider at its facility/data center. n Community Cloud: In a community cloud, the cloud infrastructure is shared by multiple agencies with similar interests (e. g., in security, compliance). Such a cloud may be operated by one of these institutions or a third party. n Hybrid cloud: When multiple independent cloud infrastructures are shared through standardized interfaces, it is called a hybrid cloud. In a private cloud, the provider and the user are usually the same, and the user can fully control the services used, while in a public cloud, the user transfers control to the cloud service provider. However, the above definition does not cover all variants of cloud services, so further definition is needed, such as "virtual private cloud. Another common difference in cloud models is the classification by "service model" (SaaS, PaaS, IaaS)-see question 1. Basically, all "deployment models" or "service models" are also used in GxP-regulated industries. Here, the choice of cloud model is mainly based on the criticality of the GxP process supported by the cloud service and the data processed in the process. For example, the tools that support the training process, the so-called learning management systems (LMS), are often licensed as public clouds. In contrast, very critical applications, such as the management of trial master files, run at most within the framework of the community cloud service. Regardless of the importance of the process and data, the specific characteristics of the supported process support the use of community or private cloud products: the more specialized the process (for example, maintaining a tracking master file), the smaller and more specialized the group of potential subscribers. Question 3: What are the reasons for choosing a specific cloud model (private cloud, community cloud, public cloud)? In addition to commercial reasons (not discussed further in the context of GxP-regulated applications), practical reasons usually play a role in the choice of cloud model. In particular, small companies with relatively limited IT resources tend to use cloud services that they cannot provide with their own resources. This may be because they do not have enough human resources to provide all the topics required, or because they simply do not have the necessary expertise (technology related to the process, data security). In the GCP world, the special conditions prevailing there also promote the use of cloud services for very practical reasons: clinical trials are shared with many parties (hospitals, doctors, CMOs, sponsors), often globally. Moreover, the composition of the parties involved is not a fixed group, but is subject to change. The cloud service is universally accessible via the Internet, supports this way of working, and is designed for 24x 7 operation due to its international positioning. Another factor to consider, especially when choosing a cloud service, is the security requirements of the GxP process supported by the system. In Annex 11, pharmaceutical companies are explicitly required to align the required safety measures with risks (EU GMP Annex 11[12.2]: "The degree of safety control depends on the criticality of the computerized system)". This may mean that particularly sensitive data should generally not be processed in the public cloud for reasons of GxP data integrity. This decision-making requires the cooperation of all professional disciplines (IT, process owners, QA) to achieve a well-thought-out, technically sound risk assessment. This especially requires in-depth IT expertise because the topic of "data security" can be very complex (nesting of cloud services, redundancy across multiple data centers, authentication providers used, etc.) and can change permanently. If the business processes supported by the computer-based system place high demands on the availability of data and functions, this may have a direct impact on the applicability of cloud-based services: n Whether it is an additional reliance on an Internet connection or a "local" implementation that claims to be accessible via LAN; n While a highly redundant design across multiple regions and ease of horizontal scaling are critical for using cloud services, rather than installing on a local network. Especially in the field of GCP, data protection requirements (for example, personal data in clinical trials) play a vital role. Therefore, data protection determines whether the required cloud services are considered, and if so, in which country the data center used must be located. Even if this is not based on GxP requirements, high requirements for confidentiality of sensitive data (e. g., data from clinical research or product development) can determine whether to consider cloud services or restrict cloud services. Question 4: Is the SaaS closed system compliant with 21 CFR PART 11? The terms SaaS and "closed system" are not related, I .e. one neither implies nor excludes the other. First, SaaS is a service model for providing software applications in the cloud (I. e. over the Internet) by cloud service providers (CSPs). This requires data to be transferred, at least temporarily, to the cloud where it is stored and processed, often permanently. On the other hand, the definitions of "open" and "closed" systems do not refer to the manner in which data or applications are provided, but rather define the expected level of control. This control of data and applications is mainly achieved through operational and technical measures related to access protection, user identity and rights management, and encryption. Therefore, the level of control is not independent of SaaS, but represents a different dimension. In § 11.3 (B)(4), 21 CFR PART 11 defines a closed system as "an environment in which system access is controlled by the person responsible for the content of electronic records on the system". In contrast, § 11.3 (B)(9) defines an open system as one that lacks such control. Therefore, closed and open systems have very different measures such as verification and data privacy, which are defined in detail in paragraphs § 11.10 and § 11.30, respectively. As a result, each SaaS-provided application may be an open system, but typically operates as a closed system, especially when dealing with critical, sensitive, or trusted data (typically: data worth protecting).

With the improvement of today's medical level, society has increasingly attached importance and demand to drug safety. In order to provide accurate and objective feedback on the quality of drug safety production in drug production, pharmaceutical companies have also widely applied microbial identification technology. 伴随当今医疗水平的提升，社会更加提升了对药品安全的重视度与需求度。为了在药品生产中精准且客观反馈出药品安全生产的质量，医药企业对微生物鉴定技术的应用也相当的广泛。 The application of microbial identification technology has strengthened the traceability analysis of microorganisms. Traceability analysis is the process of confirming the source of pollution by comparing contaminated microorganisms and related monitoring microorganisms based on the degree of homology differences. 微生物鉴定技术的应用，加强了微生物的溯源分析，溯源分析是通过对污染微生物和相关环节监控微生物进行比对，以同源性的差异程度为依据，确认污染来源的过程。 The identification of strain level is very important in the pollution investigation process, especially when the microbial quantity in the product is high and meets the standard requirements or when abnormally high microbial detection occurs. The identification of bacterial strains is also important in aseptic processes. In the event of positive results in aseptic tests or failure in simulated processes such as medium filling, the detected microorganisms should be evaluated. 菌株水平的鉴定在污染调查过程中非常重要，尤其适用于产品中的微生物数量较高且符合标准要求时或出现异常高的微生物检出时。菌株水平的鉴定在无菌工艺中也很重要，在无菌试验结果阳性和培养基灌装等模拟工艺失败时，应对检出的微生物进行评估。 The phenotypic and genotypic characteristics of the same type of bacteria in the same location are basically the same. The phenotypic characteristics of the same type of bacteria in different locations may be basically the same, but there may be certain differences in the genetic characteristics of conservative and variable regions. Therefore, pollution investigations should mainly focus on genotype identification, with phenotype identification as a supplement. 同一地点的同种菌，其表型特征和基因型特征是基本一致的，不同地点的同种菌，表型特征可能基本一致，但保守及可变区域的基因特征会有一定的差异性。因此，污染调查等应以基因型特征鉴定为主，表型特征鉴定为辅。 In addition to sterile products that require microbial identification, it is also recommended to increase the means of microbial identification for other types of products and establish a bacterial strain library for the enterprise. The appropriate level of identification of microorganisms collected in controlled environments can help predict common microbial communities and evaluate the effectiveness of cleaning or disinfection procedures, methods, cleaning or disinfectants, and microbial monitoring methods. Especially when monitoring limits are exceeded, microbial identification information can aid in investigating the source of pollution. Colonies isolated from critical areas should be identified before non critical areas. 除了无菌产品需要进行微生物鉴定外，其他类型的产品也建议增加微生物鉴定的手段，并建立企业的菌种库。对受控环境收集到的微生物进行适当水平的鉴定，微生物菌群信息有助于预期常见菌群，并有助于评估清洁或消毒规程、方法、清洁剂或消毒剂及微生物监测方法的有效性，尤其当超过监测限度时，微生物鉴定信息有助于污染源的调查。关键区域分离到的菌落应先于非关键区域进行鉴定。 Method microbial identification must be carried out before the application of microbial identification methods. The confirmation of microbial identification methods should include accuracy, specificity, reproducibility, sensitivity, positive predictive value (PPV), and negative predictive value (NPV). The confirmation test of the microbial identification system shall be carried out using one of the following methods: 微生物鉴定方法的运用前必须进行方法确认。微生物的鉴定方法的确认应包括准确度、专属性、重现性、灵敏度、阳性预测值（PPV）、阴性预测值（NPV）。微生物鉴定系统的确认试验按下述方法之一进行： Parallel identification experiments were conducted on approximately 50 strains of microorganisms isolated in daily testing using existing and unconfirmed methods. Differences in identification results can be determined using arbitration methods. 采用现有方法和待确认方法对日常检验中分离的微生物约50株进行平行鉴定试验，鉴定结果的差异可使用仲裁方法判定。 Conduct a total of 50 identification experiments using 12-15 known reserve strains that can represent the commonly isolated microorganisms. 使用12-15种已知的能代表常规分离到的微生物的储备菌种，共进行50次鉴定试验。 The method to be confirmed is to identify 20-50 microbial strains (including 15-20 different species), and the results should be consistent with the identification results of the reference laboratory. 待确认方法对20-50株微生物（包括15-20个不同的种）进行鉴定，结果应与参照实验室的鉴定结果一致。 Evaluate the identification results of the microbial identification system used, while also considering its consistency level. 对所用的微生物鉴定系统的鉴定结果进行评估，同时还应考虑其一致性水平。

Recently, DST Durst experts went to a well-known biological vaccine enterprise in Hefei, Anhui Province to conduct a 4-day on-site inspection and audit of vaccine products. Prior to this, DST Durst had provided many GMP-related consulting services to the pharmaceutical enterprise. The audit of vaccine products mainly focused on the overall improvement and perfection of quality system, facilities and equipment system, material system, production system, packaging and labeling system, laboratory control system and other modules, help the enterprise to find the quality system and production system problems and deficiencies, improve the overall level of GMP. In this audit, Durst DST arranged four senior experts of biology and sterile products to the site to carry out registration verification and assist in monitoring of vaccine products. The four experts conducted a comprehensive and detailed audit of the quality system, facilities and equipment system, material system, production system, packaging and labeling system, laboratory control system and other modules of the vaccine product production line of the pharmaceutical company, and submit the audit report to guide the enterprise to solve the problems and deficiencies found in the audit process, to ensure its GMP compliance. In recent years, DST DST's expert team has experienced many international GMP certification inspections and has rich experience in dealing with GMP certification inspections. It can help pharmaceutical companies to improve their GMP certification inspections in all aspects and ensure the smooth development and approval of GMP certification inspections. At the same time, DST Durst also has rich experience and many successful cases in the construction of quality system, simulation audit, GMP certification and other aspects, helping many pharmaceutical companies to pass GMP certification. Recently, DST Durst has coached Sichuan Huiyu Pharmaceutical and Chengdu Shengnuo Biology to pass FDA certification in the United States. In addition, most of DST Durst's expert teams have worked in well-known foreign companies in the industry or worked and studied in foreign pharmaceutical companies, with rich experience, innovative ideas and solid professional skills, can bring better customer experience and results for customers. Since the establishment of DST Durst, DST Durst has taken the mission of enabling more pharmaceutical enterprises to reach the international top quality management level, the concept of customer first, and its own specialty as its hard strength, focusing on serving international GMP consulting work, including FDA, EU-GMP, TGA, PIC/S, QP and other certification, auditing and verification work. It has successively provided international GMP services for Lizhu Pharmaceutical, Baiyunshan Pharmaceutical, China Resources Sanjiu, North China Pharmaceutical, Kangtai Biology, Baiji Biology, Longsha Biology, Sinopharm Zhongsheng and other enterprises, and has been recognized by customers. Has repeatedly used simulation inspection and audit to help pharmaceutical companies through international certification audit and inspection, has helped Huiyu Pharmaceutical, China Resources Sanjiu, Sinopharm, Hanteng Bio, Raffles Pharmaceutical and other pharmaceutical companies through international certification audit and inspection.