Understanding the FDA

The FDA, or the U.S. Food and Drug Administration, is a federal agency responsible for protecting and promoting public health by controlling and supervising the safety of foods, dietary supplements, prescription and over-the-counter medications, vaccines, biopharmaceuticals, blood transfusions, radiation-emitting devices, veterinary products, and more.

For companies in the life sciences, the FDA plays a crucial role in regulating and overseeing the development, manufacturing, and marketing of medical products. Here are some ways the FDA affects companies in the life sciences:

• Drug Approval and Regulation: The FDA reviews and approves new drugs and biologics before they can be marketed and sold. Companies in the pharmaceutical and biotechnology industries must submit extensive data on the safety and efficacy of their products, and the FDA evaluates this information to determine if the benefits outweigh the risks.
• Medical Device Regulation: Companies that manufacture medical devices, ranging from simple tools to complex machinery, must adhere to FDA regulations. The agency classifies devices into different categories based on risk, and companies must comply with specific design, manufacturing, and labeling requirements.
• Biological Products: The FDA regulates biologics, including vaccines, blood components, gene therapies, and cellular therapies. Companies developing and manufacturing these products must meet stringent standards to ensure their safety and effectiveness.
• Quality Control and Good Manufacturing Practices (GMP): Life sciences companies are required to follow Good Manufacturing Practices to ensure the quality and consistency of their products. The FDA conducts inspections to verify compliance with these standards.
• Clinical Trials Oversight: Before a new drug or medical device is approved, it typically undergoes clinical trials. The FDA oversees these trials to ensure that they are conducted ethically, with patient safety in mind, and that the data generated is reliable.
• Labeling and Marketing: The FDA regulates the labeling and marketing of pharmaceuticals and medical devices to ensure that the information provided to healthcare professionals and the public is accurate and not misleading.
• Post-Market Surveillance: Even after a product is approved and, on the market, the FDA continues to monitor its safety. Companies are required to report adverse events, and the FDA may take regulatory action if safety concerns arise.

Consequences for non-compliance with FDA regulations

Non-compliance with FDA regulations can result in serious consequences for companies, including product recalls, fines, and legal actions.

Understanding Code of Federal Regulations (CFR)

The CFR is a compilation of regulations established by federal agencies, including the FDA, to implement laws enacted by Congress. It is divided into 50 titles, each covering specific regulatory areas. Title 21 is particularly relevant for life sciences, encompassing FDA regulations on food and drugs.

Key Aspects of CFR Regulations:

• Good Manufacturing Practices (GMP): CFR outlines GMP regulations to ensure the consistent quality and safety of products, including pharmaceuticals and medical devices.
• Quality Systems Regulation (QSR): QSR, under CFR Title 21, governs the design, production, and distribution of medical devices to guarantee their safety and effectiveness.
• New Drug Application (NDA) Process: Title 21 of CFR provides the regulatory framework for submitting and approving NDAs, a critical step in bringing new drugs to market.

Significance in Life Sciences:

• Patient Safety: FDA and CFR regulations are designed to prioritize patient safety, ensuring that products meet rigorous standards before reaching consumers.
• Innovation and Research: The regulatory framework encourages innovation by providing a clear pathway for the approval of new drugs, medical devices, and therapies.
• Global Impact: Many countries reference FDA and CFR standards, making compliance essential for companies engaged in international trade and commerce.

Conclusion

FDA and CFR regulatory frameworks not only safeguard public health but also foster innovation and maintain the integrity of the industry. Navigating the regulatory landscape requires a commitment to compliance, ensuring that life science companies contribute to a safer and healthier world.

About Astrix

Astrix provides market-leading life science domain expertise, strategy, technology, and staffing services from one integrated team working seamlessly together. As a leading staffing solutions provider in this field, we deeply understand the regulatory landscape and work tirelessly to ensure that our clients are fully compliant with industry regulations. Our team of experts provides customized staffing solutions to ensure our clients have the talent they need to meet compliance standards and achieve their business objectives.

The post Understanding Compliance Regulations in the Life Science Sector Part 1 appeared first on Astrix.

As evidence of its interest in quality metrics, the FDA published an initial draft guidance in July of 2015 encouraging firms foster a culture of quality and continuous improvement, and signaling its intent to establish a quality metrics reporting program requiring the submission of quality metrics data. A year and a half later (November 2016), responding to comments and some pushback by industry stakeholders, the FDA released a revised draft guidance entitled “Submission of Quality Metrics Data: Guidance for Industry.”

In this latest revised draft guidance, the FDA initiates a voluntary reporting phase of the FDA quality metrics reporting program as a prelude to the eventual mandatory requirement for the submission of quality metrics data. Effectively, this revised draft guidance is a gift from the FDA that establishes a “practice” period for companies to get their quality management program and metrics in alignment with what will eventually become FDA rules on quality metric submission. As the FDA states in the revised guidance, “FDA does not intend to take enforcement action based on errors in a quality metrics data submission made as a part of this voluntary phase of the reporting program, provided the submission is made in good faith.”

While the voluntary program is focused on finished drug products and API manufacturing, all manufacturers may report quality metrics data (e.g., atypical active ingredients, excipient manufacturers). The FDA also notes that participation in the voluntary reporting program outlined in the draft guidance provides an opportunity to demonstrate a commitment to transparency and a willingness to proactively engage with the agency. In other words, participation in this “voluntary” program is a good way to create good relations with the FDA.

Pharmaceutical and biologics manufacturers would be well-advised to become familiar with the program outlined in the FDA’s revised draft guidance on quality metrics, so that they can begin to develop and implement appropriate standard operating procedures (SOPs) and quality management system (QMS) solutions. There are a number of important takeaways in the FDA’s revised draft guidance on quality metrics. In this blog, we’ll detail some of the more noteworthy aspects of the guidance that companies and labs should be paying attention to.

Overview of The FDA Quality Metrics Guidance

Some of the key details contained in the FDA revised guidance on quality metrics include:

The FDA’s objectives for the quality metrics program. As stated in the guidance document, the FDA’s goals behind the publication of this revised draft guidance are to:

• Establish a signal detection program as one factor in identifying establishments and products that may pose significant risk to consumers
• Identify situations in which there may be a risk for drug supply disruptions and engage proactively with manufacturers to mitigate the likelihood of their occurrence
• Improve the FDA’s evaluation of drug manufacturing and control operations
• Help prepare for, direct and improve the effectiveness of establishment inspections
• Use the calculated metrics as an element of the post-approval manufacturing change reporting program with an emphasis on encouraging lifecycle manufacturing improvement

Dates for Voluntary Quality Metrics Reporting. As described in the Notice of Availability (NOA) for the revised draft guidance, the FDA intends to open an electronic portal in January 2018 to begin receiving voluntary submissions of quality metrics data that was generated in 2017.

Metrics to be Reported for Voluntary Program. The quality metrics data described in this draft guidance is produced in the course of manufacturing drugs in compliance with cGMP. The metrics that the FDA is asking establishments to report in this voluntary program are:

• Lot acceptance rate (LAR) as an indicator of manufacturing process performance. LAR is the number of accepted lots in a timeframe divided by the number of lots started by the same establishment in the current reporting timeline.
• Product Quality Complaint Rate as an indicator of patient or customer feedback. PQCR is defined as the number of product quality complaints received for the product divided by the total number of dosage units distributed in the current reporting timeframe.
• Invalidated Out-of-Specification (OOS) Rate (IOOSR) as an indicator of laboratory operation and performance. IOOSR is defined as the number of OOS test results for lot release and long-term stability testing invalidated by the reporting establishment due to an aberration of the measurement process divided by the total number of lot release and long-term stability OOS test results in the current reporting timeframe.

Appendix B of the Guidance helps to define these metrics with clarifying examples which will help companies with their internal definitions. Any questions that an establishment may have about their specific situation when gathering this data can be emailed to: OPQ-OS-QualityMetrics@fda.hhs.gov.

Additional Quality Metrics Recommended. The quality metrics requested for the voluntary program are not intended to be all-inclusive. Manufacturers are encouraged to utilize additional quality metrics in their day-to-day QC operations that are deemed necessary to evaluate a product’s or manufacturer’s quality. Additional metrics may be added to the FDA’s future mandatory quality metrics reporting program. Also, additional metrics, or lack thereof, may be evaluated in an FDA inspection of manufacturing facilities.

How to Submit Quality Metrics for the Voluntary Reporting Program. Reporting establishments should submit quality metrics reports where the data is segmented on a quarterly basis throughout a single calendar year. Appendix A of the draft guidance contains a description of the quality metrics data elements that are relevant for different business segments/types. Additionally, a revised version of the Quality Metrics Technical Conformance Guide that describes additional technical details will be released soon. Finally, the FDA expects to publish a Federal Register notice providing further instructions on the submission of voluntary reports no fewer than 30 days before the electronic portal is opened.

Both Product and Site Quality Metric Reports Will be Accepted. The FDA will permit establishments to submit data in this voluntary quality metrics reporting program in two formats – by site segmented by product, or by product segmented by site. This allows companies to submit the data in the way that works best for them. That said, the Agency does prefer data segmented by product, because it demonstrates effective control over the manufacturing process for drugs over the entire the supply chain.

Special Considerations for Products Imported/Manufactured Outside the United States. The FDA recognizes that it may be extremely difficult to identify started lots, rejected lots, and OOS results that are manufactured by CMOs that are not in the United States. The FDA therefore allows voluntary reports to contain data from lots not imported with the data from lots that are imported, provided that the manufacturing process for both uses the same process and controls data. Product quality complaint rate (PQCR) data, however, should be collected only for drugs that are imported, intended for import or manufactured in the United States.

Optional Comment Field Within Quality Metrics Report.  Reporting establishments can submit a comment of up to 300 words with their quality metrics report in order to explain anomalous data or report any plans for quality improvement. As the guidance explains, comments “may describe special situations, such as natural disasters, the use of emerging technology, or describe the manufacturing supply chain or a plan for improvement.” The FDA “may refer to the comments if unusual data trends are identified, or in preparation for an on-site inspection.”

Mandatory Quality Metrics Reporting Will Eventually be Implemented. After data collection in 2018, the portal accepting voluntary submissions of quality metrics data will be closed and the FDA will begin data analysis. Once this analysis is complete, the FDA will share on its website what it has learned from the voluntary phase of the reporting program, and also initiate notice and comment rulemaking to develop it’s mandatory reporting program.

Quality Metrics Reporters List Will be Published. Upon completing analysis of the data from the voluntary quality metrics reporting program, the FDA will publish a list of the companies that participated in this voluntary reporting phase on its website. The reporting establishments in this list will be broken down into product and site report categories, and then tiered based on how much quality metric data was reported. The FDA feels this list may be useful for:

• Establishments within the pharmaceutical manufacturing industry as one element of a robust outsourcer or supplier selection process.
• Healthcare purchasing organizations, healthcare providers, patients, and consumers in sourcing drugs.

Key Quality Management System Takeaways for Manufacturers

In order to submit data that is in alignment with this new revised quality metrics draft guidance, product owners will need to choose between submitting data organized by product or site. While the FDA prefers data organized by product, gathering the metrics by product across the entire supply chain will be more involved than by site. Manufacturers will likely need to redesign their quality metrics dashboards and management review process to be able to facilitate consistency in quality practices across the enterprise and partners. The following recommendations may be helpful in adjusting quality management systems to meet the new guidelines:

• Appropriate dashboard KPIs need to be determined and defined prior to implementing system that aggregates data for the dashboard.
• The quality system should contain policies and procedures that validate that information is funneling to the dashboard as intended and assure the appropriate level of data visibility by management provided by the dashboard.
• KPIs in the dashboard should align with requirements outlined in the FDA revised draft guidance, and include clear definitions that include data standards.
• Individuals manually entering source data should receive proper training on proper policies and procedures.
• Review of KPI targets should occur on a regular basis. Assessments should be regularly conducted to identify poor performance in order to drive corrective action plans.

Conclusion

With the release of this revised guidance document of the submission of quality metrics data, the FDA continues to encourage pharmaceutical manufacturers to implement a modern, risk-based quality management system as part of its mission to protect public health. The FDA’s grand vision is for the pharmaceutical industry to shift from a culture of compliance and rules to a culture of quality, where quality protocols are built into every process. While this revised guidance outlines a voluntary program for submission of quality metric data, a mandatory program is coming. Manufacturers would therefore be wise to utilize this voluntary phase to take a hard look at their quality systems maturity and begin to focus on how quality metrics are defined, collected, organized, verified and reported. Manufacturers will need to review their quality metrics management and reporting systems, identify any gaps in data collection, and take steps to bring systems into alignment with the metrics program guidelines. Manufacturers who take these steps now will avoid the hassle of being forced to make these changes under accelerated timelines later, and will reap the financial and customer loyalty benefits that come with producing quality products

The post What the FDA’s Quality Metrics Reporting Program Means for Your Lab appeared first on Astrix.

In the years following the creation of Part 11, there was much discussion and confusion in the pharmaceutical industry regarding what it meant and how it would be enforced. Additionally, concerns were raised by many in the industry that the new regulation would significantly increase the cost of compliance and discourage innovation and technological advances. In response to these issues, the FDA released a guidance document in 2003 entitled “Part 11, Electronic Records; Electronic Signatures – Scope and Application,” which was intended to provide a practical interpretation of Part 11 and clear up industry confusion around its interpretation and enforcement. This guidance document clarified that the Agency intended to interpret the scope of part 11 narrowly and exercise enforcement discretion with regard to part 11 requirements for validation, audit trails, record retention, and record copying.

In the years since the 2003 guidance document was issued, there has been significant technological advances (e.g., cloud computing, mobile devices, etc.), and a proliferation of third-party vendors offering services for electronic systems. In order to address some of the questions that have arisen regarding Part 11 regulations due to the ongoing digitization of data in clinical trials, the FDA issued a draft guidance for industry titled “Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers” in June of 2017.

This most recent draft guidance on electronic records and signatures clarifies, updates and expands upon the recommendations related to clinical trials in the 2003 guidance, and provides information to sponsors, institutional review boards (IRBs), clinical investigators, and clinical research organizations (CROs) on the use of electronic records and signatures in clinical trials conducted under 21 CFR parts 312 and 812. Let’s examine this new guidance document in detail in order to determine what it means for those involved in generating and signing electronic records in clinical investigations.

Scope of the FDA Guidance

In this new guidance document, the FDA affirms that it will continue to support a narrow and practical interpretation of Part 11, while at the same time reminding sponsors that electronic records must be maintained or submitted in a manner which satisfies all predicate rules. Additionally, this guidance clarifies and expands upon the policy announced in the 2003 part 11 guidance that encourages a “risk-based approach to the validation of electronic systems, implementation of electronic audit trails, and archiving of electronic records.”

This guidance document applies to electronic records and signatures in the following categories:

• Records kept in electronic format in lieu of paper that are required for clinical investigations of medical products. This includes all records that would be necessary for the FDA to reconstruct a study.
• Electronic records that are relied on to perform regulated clinical study activities.
• Records pertaining to clinical investigations that are submitted to FDA in electronic format under predicate rules, even if these records are not explicitly identified in FDA regulations.
• Electronic signatures required for clinical investigations that are intended to be the equivalent of handwritten signatures executed on paper.

The following electronic systems used in clinical investigations are addressed by the guidance in terms of their applicability to Part 11 requirements:

• Electronic systems, whether commercial off-the-shelf (COTS) or customized, that are owned or managed by sponsors and other regulated entities
• Electronic services that are outsourced by the sponsor or other regulated entities
• Electronic systems that are primarily used in the delivery of medical care
• Mobile technology and telecommunications systems

Overview of the FDA Guidance

The information communicated in this guidance document is extensive. The guidance provides 28 questions and answers (Q&A) detailing how sponsors, IRBs, clinical investigators, and CROs can ensure that electronic records and signatures are equivalent to paper ones and thus meet agency requirements. The bulk (24) of these Q&A cover the scope and application of Part 11 requirements in clinical investigations and are organized into 5 topics – Electronic Systems Owned or Managed by Sponsors and Other Regulated Entities, Outsourced Electronic Services, Electronic Systems Primarily Used in the Provision of Medical Care, Mobile Technology, Telecommunication Systems. A final section contains 4 Q&A that are dedicated to clarifying the appropriate use of Electronic Signatures.

Let’s look at some of the key expectations communicated by the guidance:

Electronic Systems Owned or Managed by Sponsors and Other Regulated Entities

The FDA lists a number of electronic systems used in clinical investigations that are owned or managed by sponsors or other regulated entities (e.g., CROs, IRBs) include: electronic case report forms (eCRFs), electronic data capture (EDC) systems, electronic trial master forms (eTMFs), electronic Clinical Data Management System (eCDMS), and others. Requirements and recommendations specified in this guidance for these systems include:

• Risk-Based Approach to Validation – Electronic systems should be validated if they are used to process/produce critical records that are submitted to the FDA. The FDA suggests a risk-based approach to validation, where the extent of validation varies from that which is defined by “internal business practice and needs” for off-the-shelf business tools in general use (e.g., word processors, spreadsheets, etc.), to “user acceptance testing, dynamic testing, and stress testing” for customized tools that have been developed to meet a unique business need. When determining the level of validation for a given system, sponsors and other regulated entities should consider the purpose and significance of the record (i.e., the extent of error that can be tolerated in the record without compromising its reliability and utility), and the attributes and intended use of the electronic system used to produce the record.
• FDA Inspections of Electronic Systems – The FDA will focus on documentation of system validation for both the implementation of these electronic systems, as well as any changes made (e.g., upgrades, security patches, new instrumentation, etc.) to the system once in use. Migrations of source data to other systems or formats will be checked to ensure that the data is not altered in value or meaning in the process. Additionally, the FDA will review standard operation procedures (SOPs) and support mechanisms (e.g., training, technical support, audits, etc.) to ensure that the system is being used and functioning in the manner intended.
• Vendor Audits – Sponsors and other regulated entities should use a risk-based approach in determining whether or not to perform vendor audits. To minimize time and cost burdens, the FDA suggests sponsors and other regulated entities consider “periodic, but shared audits conducted by trusted third parties.”
• Security Safeguards – In order to assure compliance with 21 CFR Part 11.10 and 11.30, sponsors and other regulated entities must ensure that procedures and processes are in place to limit access to the electronic systems utilized in clinical investigation to appropriate, authorized users. Additionally, external security safeguards (e.g., firewalls, anti-spyware, antivirus, etc.), need to be in place to prevent, detect and mitigate the effects of computer viruses, worms and other harmful software code on study data and software.
• Electronic Storage for Archiving Study-Related Records – Using a durable electronic storage device to archive a study-related record at the end of a clinical study is acceptable. Sponsors and other regulated entities should ensure that the content and meaning of the record and the integrity of the original data are preserved. If these records are archived in such a way that they can be searched, sorted, or analyzed, sponsors should provide electronic copies with the same capability to the FDA during an inspection if it is reasonable and technically feasible.
• Investigative Sites Outside the United States – The FDA states that if a non-U.S. site is conducting a clinical trial under an investigational new drug application (IND, then both the sponsor and the site must follow FDA regulations – Part 11 requirements will apply to any required records kept in electronic format.

Outsourced Electronic Services

When outsourcing electronic services (e.g., data management services, cloud computing services), sponsors and other regulated entities are ultimately responsible for ensuring that all regulatory requirements are met. As such, sponsors and other regulated entities need to ensure:

• the authenticity, reliability and security of any data used to support a marketing application for a medicinal product.
• that regulated records and data are available to FDA during an investigation or an inspection.
• that outsourced electronic services are validated when appropriate – documentation of SOPs and results for validation testing should be obtained from the outsourced electronic service vendor.

Sponsors and other regulated entities should form service agreements with any outsourced electronic service vendor, but before entering into such an agreement, the sponsor or other regulated entity should evaluate and select an electronic service vendor based on their ability to meet part 11 requirements and data security safeguards.

Sponsors and other regulated entities should be able to provide the following information to the FDA upon request at each of their regulated facilities that utilize outsourced electronic services:

• Specified requirements of the outsourced electronic service
• A service agreement defining what is expected from the electronic service vendor
• Procedures for the electronic service vendor to notify the sponsor or other regulated entity of changes and incidents with the service

Mobile Technology

The guidance document addresses the use of mobile devices in clinical trials, whether the device is provided by the sponsor or brought by the study participant. Mobile technology in this guidance document refers to portable electronic technology used in clinical trials that enables off-site, remote data capture from study participants – mobile platforms, mobile applications, wearable biosensors, and other portable, implantable and ingestible electronic devices. Requirements and recommendations specified in this guidance for mobile technology include:

• Access Controls – Sponsors should implement user access controls (e.g., ID code, username and password, electronic thumbprints, other biometrics) for mobile technology used by study participants in clinical trials to ensure that data entrees come from study participants. In cases where these controls are not practical, sponsors should obtain a signed declaration from study participants confirming that they will be the only ones using the device.
• Source Data – As mobile technology typically only stores data collected from study participants for a very short period of time before being transmitted to the sponsor, the FDA indicates that “…the first permanent record is located in the sponsor’s EDC system or the HER, and not in the mobile technology.”
• Validation of Mobile Technology – The guidance suggests a risk-based approach to validation of mobile technology. Sponsors should validate mobile technology before use in a clinical trial to ensure that a measured value is reliably captured, transmitted and recorded in the sponsor’s EDC system. Note that validation is specific to Part 11 and does not address performance of the mobile technology, which should follow standard medical device validation requirements.
• Audit Trails – When mobile technology is used to transfer data to the sponsor’s EDC system (or to the EHR and then the sponsor’s EDC), the audit trail begins at the time the data enters the sponsor’s EDC system. The EDC system should capture the date and time the data entered, as well as the data originator (study participant, mobile technology or EHR).
• Security Safeguards – Data transmitted wirelessly from a mobile device to a sponsor’s EDC must be encrypted both at rest and in transit to ensure confidentiality and prevent access by malicious parties. In addition to encryption and user access controls, sponsors should implement remote wiping and disabling of devices, firewalls, and procedures for wiping all stored health information on mobile devices before reusing or discarding to ensure confidentiality.
• Training – The FDA expects sponsors, clinical investigators, study personnel, and study participants to be adequately trained on the use of any mobile technology that is used in a clinical trial.

Electronic Signatures

To be considered the equivalent of handwritten signatures, electronic signatures must comply with Part 11 requirements. Nevertheless, in this guidance document, the FDA communicates flexibility in terms of the methods it will accept for the creation and verification of electronic signatures and biometrics.

• Methods of Creating Electronic Signatures – The Agency states that Part 11 allows for a wide variety of methods for creating electronic signatures – computer-readable ID cards, biometrics, digital signatures, and username/password combinations. All signatures on electronically signed documents need to be accompanied by a computer-generated, time-stamped audit trail.
• Verification of Identity of Those Who Create Electronic Signatures – Part 11 requires that organizations “verify the identity of an individual before the organization establishes, assigns, or otherwise sanctions an individual’s electronic signature or any element of such electronic signature.” However, the FDA does not specify any particular method for verifying the identity of an individual. Methods suggested include: birth certificate, government-issued passport, driver’s license, security questions.
• Biometrics – The FDA defines biometrics as “a method of verifying an individual’s identity based on measurements of the individual’s physical features or repeatable actions where those features and/or actions are both unique to that individual and measurable.” The FDA does not specify any particular biometric method upon which an individual’s signature should be based. Examples given as possible options include: fingerprints, hand geometry (i.e., finger lengths and palm size), iris patterns, retinal patterns, or voice prints.

In addition, the FDA provides important guidance regarding electronic signatures by an individual during a period of controlled system access: “When an individual logs into an electronic system using a username and password, it is not necessary to re-enter the username when an individual executes a series of signings during a single, continuous period of controlled system access. After a user has logged into a system using a unique username and password, all signatures during the period of controlled system access can be performed using the password alone.”

Conclusion

The information contained in the FDA’s new guidance document on electronic records and signatures is extensive, and signifies that the Agency is increasingly focused on data integrity in the electronic records submitted in support of new drug approvals. While this guidance is focused on electronic records and signatures in clinical trial documents, the concepts and recommendations outlined are applicable for any operational system that must conform to Part 11 requirements. Organizations would therefore be wise to consider the information communicated in this guidance document when implementing electronic records and signatures across the product lifecycle.

Additionally, partnering with a quality informatics consulting firm that specializes in data integrity and computer system validation in order to assess the status of your organization’s 21 CFR Part 11 compliance may be an effective path forward. Such a firm can help you define your  needs/requirements, and then determine the best business solution(s) that will bring your organization into regulatory compliance.

The post What the New FDA Guidance on Electronic Records and Signatures Means for Clinical Trials appeared first on Astrix.

In the United States, the FDA is not required to provide advance notice of an inspection. In facilities where violations were noted during a previous inspection, the FDA will likely provide no advance notice. If your last inspection was without violation or if this is a pre-approval visit, however, you will likely be given notice of an impending inspection.

There are few events that engender as much anxiety for company stakeholders as an FDA audit. Are you prepared for when the FDA shows up at your front door? Do your employees know how to interact with FDA inspectors when they are on site? Do you have Standard Operating Procedures (SOPs) in place for handling an FDA audit?

Surviving an FDA audit can be significantly less daunting if you know what to expect and have a strategy in place to ensure the best possible outcome. In this blog, we will provide best practice guidelines to help you prepare for an FDA inspection, as well as understand how to best interact with the inspector – both while they are on site and post-inspection.

Pre-Inspection Best Practices

There are a number of best practices that are important to accomplish prior to any FDA inspection.

Understand the Regulations. The most important preparation is to be knowledgeable about FDA regulations and compliant with them in your daily operations. We have discussed a number of FDA Guidance documents and compliance best practices in previous blog posts. These include:

• Data Integrity
• Computer System Validation
• Quality Metrics Submission
• Good Clinical Practice
• Electronic Records and Signatures
• Genetic Testing

Know the Types of Audits. The FDA conducts several types of inspections in its efforts to protect consumers from unsafe products:

• Pre-approval inspections occur after a company submits an application to the FDA to market a new product.
• Routine inspections of regulated facilities are the most common type of audits performed.
• “For-cause” inspections can occur when a specific problem has come to the attention of the FDA.

FDA inspectors follow Compliance Policy Guides (CPGs) that detail the steps involved in each type of inspection, although they do not limit the activities of an inspector. Understanding the type of inspection to be conducted and referencing the appropriate CPG will help you know the length of time inspectors will be at your facility and the type of documentation that you will need to provide for their review.

Make a Plan. Best practice is to have inspection procedures in place in the form of SOPs that describe when and how to act in response to an FDA audit. These SOPs should cover every aspect of the inspection – inspection preparation, arrival of the inspector, conduct of personnel during an inspection, handling any disputes that may arise, system for tracking document requests by the inspector, and the final meeting with the inspector to discuss results. If you don’t already have inspection SOPs in place, it may be helpful to consult with a qualified third party to create them.

Designate an Inspection Team. It is likely that the investigator(s) will need to interact with several key personnel in your organization during the inspection. Best practice is to determine who those stakeholders are in advance, assign each team member’s roles and responsibilities, and train them on your organization’s approach to the audit. It is also important to assign someone to be the investigator’s key contact that will escort them to locations throughout your facility. Make sure this person has the knowledge and authority required to speak to any concerns and/or requests that arise.

Conduct Internal Inspections. Best practice is to periodically perform thorough internal inspections and audits of your facility and systems to assess compliance status prior to an FDA visit. One approach to accomplish this is using internal resources knowledgeable about regulatory compliance who also have experience with real audits to lead an internal audit. This should be considered as significant as an official regulatory agency audit and executed as thoroughly. Another approach is to engage a third party consultants with expertise to assess compliance status.

Inspection Best Practices

The first thing to do when the inspector(s) arrive is to check his or her identification:  the inspector is obligated to show you their credentials. Other best practice recommendations:

Notify Employees. If you did not receive advance notice of the inspection, alert all potentially affected employees as quickly as possible that the FDA is on-site and that they should follow company protocol detailed in your SOPs when asked questions.

Designate Appropriate Workspace. Designate an area for the inspector to work. This space should be quiet, private and comfortable – a separated conference room is typically a good choice. It is wise to avoid placing the inspector(s) in an office where there is a lot of traffic and external activity.

Establish Open Communication. It is important to establish open communication between your company representatives and the FDA examiner(s). Cooperate with FDA inspectors and do not impede their progress or engage in idle conversation. It is important that company representatives provide answers specific to what is asked. Remember that you are the host. Be polite, avoid confrontation, and do not challenge of the inspector’s understanding of regulations. If challenges are warranted, they are only relevant in writing as responses to the written contents of the audit report. Request a brief update meeting with the FDA inspector at the end of each day to stay informed of inspection progress and any issues that have arisen. It is important to respond to questions and clarify any issues as they arise during the inspection.

Develop an Audit Dossier. Collect copies of files or samples submitted, along with any updates provided by FDA examiners and other important details, in an audit dossier throughout the inspection process. This will identify the specific support material used during the audit and help you track any issues that are identified so you can develop an appropriate response.

Understand FDA Jurisdiction. In order to protect your company’s trade secrets and proprietary information, there are restrictions on the types of files that FDA inspector can access. Files containing the following are restricted:

• Business plans
• Financial records, including most sales data
• Pricing information
• Unrelated Research & Development
• Personnel files

If an FDA investigator asks for something that you believe in on this restricted list, you can request a conversation to obtain clarity on why the documentation is being requested.

Develop a System for Handling Requested Records. Best practice is to develop a back room/front room operation to fulfill and track document requests as quickly as possible. Review a requested record before sending it to the inspector to verify it is complete. Once the inspector reviews a record, remove it from the inspection workplace. Be honest and forthcoming fulfilling records requested by the inspector.

Post-Inspection Best Practices

Schedule a Closeout Meeting. A closeout meeting should be held at the conclusion of the FDA inspection to discuss findings that includes company senior management, members of the Inspection Team, and all FDA inspectors. This meeting should encourage dialog. The inspector will document any compliance deviations observed during the inspection using an FDA Form 483. The contents of Form 483 should be reviewed and discussed in this meeting to make sure there is full understanding of the observations and what they mean.

Formulate an FDA Form 483 Response. Your company must provide a formal response to the FDA Form 483 observations in writing within 15 days of your closeout meeting. Your response should be clear, concise, and thorough, and include:

• A compliance commitment statement from company management.
• A separate response addressing each observation.
• Root cause and a corrective and preventative actions for each observation, including dates.
• A method of verification and/or monitoring for all future corrections and a commitment to a follow-up response.
• Evidence for corrections that have already been completed.

Conclusion

Enforcement actions by the FDA with respect to regulatory compliance violations can result in serious financial consequences for an organization due to facility shutdown, product recalls, import and/or distribution bans, delayed or denied drug approvals, substantial remediation costs, and loss of customers due to a damaged reputation. These actions also divert worker attention away from their daily activities towards corrective and preventive actions, which can result in significant expenditures of time and money. Additionally, manufacturers who are found in violation of regulations may lose the trust of the FDA and face more frequent and in-depth inspections. Several companies that have been cited for compliance deficiencies by the FDA over the last decade are in fact no longer in business due to the financial hardships that ensued.

One of the most important actions a company can take is to develop an effective compliance strategy to ensure the best possible outcome in the event of an FDA inspection. In this blog, we covered a variety of best practices that can help your company effectively prepare for and survive an FDA inspection. In addition to these recommendations, partnering with an experienced third party consultant who can provide a comprehensive compliance assessment can be very helpful. If you would like to discuss your overall compliance strategy, please don’t hesitate to contact us.

The post Strategies for Surviving an FDA Audit appeared first on Astrix.

The FDA first identified failures in data governance and data integrity in the year 2000 with a warning letter issued to Schein Pharmaceuticals that cited lack of proper controls over computerized laboratory systems. In the years since, the FDA focus on compliance with data integrity regulations in facility inspections has increased significantly. We have written extensively about how the FDA defines data integrity and the current FDA regulations and guidance in this area. For more information on these subjects, see here and here and here.

Enforcement actions by the FDA due to failure to comply with data integrity regulations can result in serious financial consequences for an organization due to facility shutdown, product recalls, import and/or distribution bans, delayed or denied drug approvals, substantial remediation costs, and loss of customers due to a damaged reputation. In addition, manufacturers who are found in violation of data integrity regulations may lose the trust of the FDA and face more frequent and in-depth inspections in the future.

As such, it is critical for organizations to take appropriate steps to ensure compliance with applicable data integrity regulations governing the production of pharmaceutical drugs. In this blog, we will discuss recent trends in FDA warning letters and 483s in the pharmaceutical industry with regards to data integrity, and also highlight the importance and benefits of incorporating independent data integrity assessments into your organization’s quality management system (QMS) as part of cGMP audit programs.

FDA Form 483s and Warning Letters

The FDA conducts all inspections of regulated products, research sites and manufacturers through its Office of Regulatory Affairs (ORA). When the FDA inspects a pharmaceutical company’s facility, they can either show up unannounced or alert the company ahead of time. Once the inspection is complete, the inspectors can communicate any observed conditions and/or practices that may be in violation of FDA requirements through a Form 483 or a warning letter. While both of these documents serve to inform sponsors and principal investigators of issues that require corrective action, there are important differences in terms of the seriousness of the infraction(s) being highlighted:

FDA Form 483

An FDA Form 483 is essentially a list of identified regulatory deficiencies that an ORA inspector provides to company management at the end of an inspection. As the FDA expects that these deficiencies will be remediated, it is important to respond thoughtfully to the FDA within 15 days detailing your plan for corrective actions in order to avoid a warning letter. A Form 483 response will usually require input from many different aspects of your organization, so it should be all hands on deck upon receiving the 483 to facilitate a good response detailing a comprehensive plan of action within 15 days.

FDA Warning Letter

An FDA warning letter is issued by ORA inspectors for more serious compliance deficiencies, often involving previous Form 483s that have not been effectively remediated. Warning letters should be taken very seriously and answered in a timely fashion within the required time frame. A comprehensive remediation plan needs to be developed, implemented and adhered to, along with consistent communication with the FDA during the process to avoid further enforcement actions.

Trends in Pharmaceutical Company Form 483s and Warning Letters Citing Data Integrity Violations

The Big Data and AI Analytics firm Govzilla found that, regardless of company size, roughly 50% of all global drug 483s that have been issued over the 5 year period from 2014-2018 cite data integrity concerns. Data integrity violations are even more prevalent in warning letters, with 79% of global drug warning letters during this period citing data integrity issues. Additionally, the total number of FDA warning letters referencing data integrity deficiencies has increased significantly in recent years.

While 21 CFR Part 11 is known as the data integrity rule, deficiencies in Part 11 are rarely cited in 483s or warning letters – almost all deficiencies cited are failures to comply with cGMP predicate rules (specifically, 21 CFR Parts 210, 211 and 212). Two predicate rules that are frequently cited are Parts 211.68 and 211.194.

Part 211.68 specifies requirements for “Automatic, Mechanical and Electronic Equipment.” Common citations in this area include:

• The company did not implement effective computer system controls to ensure only authorized individuals had access to the systems.
• Access was not consistent with appropriate roles and responsibilities. For example, laboratory analysts could delete or modify data, change configuration settings (e.g., disable audit trails), could adjust date and time stamps for electronic data to falsify the date/time when data was initially acquired.
• Data was not backed up appropriately to allow data reconstruction activities in future.
• Audit trail data did not match data in printed chromatograms.

Part 211.194 is cited when companies do not review and include all relevant data when making lot release decisions. Common citations in this area include:

• Companies fail to review critical data and/or metadata that would allow them to identify out of specification (OOS) events that require investigation in lot release decisions.
• The company falsifies test results, destroys data, or does not have the data necessary to support a test result.
• Laboratory analysts reprocess or manipulate data, or delete OOS data, so the result will meet acceptance criteria.

Other recently cited deficiencies include:

• Utilizing “pre-injections” of product samples outside of full sample sets to determine if results pass acceptance criteria, and then deleting/ignoring results if they fail.
• Disabling audit trails intermittently to obscure results
• Deletions or modifications of results
• Use of integration suppression settings to minimize data that would likely cause an OOS result
• Aborting test runs with no justification

One common theme in recent warning letters to pharmaceutical companies has been the clear and consistent encouragement by the FDA to employ “independent” data integrity assessments as part of the strategy for remediating identified issues. A few examples include:

• On August 10^th, 2018, a warning letter was issued to the manufacturing facility of Kyowa Hakko Bio Co., Ltd. in Japan that stated: “We recommend that a qualified third party with specific expertise in the area where potential breaches were identified should evaluate all data integrity lapses.”
• On March 26^th, 2019, a warning letter was issued to the manufacturing facility of Winder Laboratories, LLC in Georgia that stated: “Your quality system does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you manufacture…. We strongly recommend that you retain a qualified consultant to assist in your remediation.”
• On June 13^th 2019, a warning letter was issued to the manufacturing facility of Akorn Inc. in Illinois that stated: “Your quality system does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you manufacture…. We acknowledge that you are using a consultant to audit your operation and assist in meeting FDA requirements.”

Conclusion

Data integrity is a growing focus of the FDA, and it is therefore critical for organizations to ensure compliance with applicable data integrity regulations governing the production of pharmaceutical drugs. While this blog specifically highlights FDA trends in Form 483s and warning letters for pharmaceutical drug manufacturers, the recommendations communicated are also applicable to biotech companies, clinical research and CROs, medical device manufacturers, R&D laboratories, etc.

In order to ensure compliance, working with an external consultant that has expertise in data integrity evaluations to audit your laboratory environment is best practice, as an expert with fresh eyes will be able to effectively locate data integrity issues you missed. A data integrity assessment performed by a qualified team of regulatory experts provides a number of important benefits for your organization:

• Strengthens Your Organization’s Data Integrity Focus – Helps reinforce the fact that your organization is committed to data integrity compliance for all company employees.
• Provides Peace of Mind – You know that your data integrity issues have been identified and are being addressed.
• Reduces Costs – The cost of remediating data integrity issues identified by the FDA is generally much more significant than when the issues are proactively identified and corrected internally.
• Stay Focused on Your Core Business – Proactively identifying and correcting data integrity issues allows your organization to spend less time on compliance issues so you can stay focused on your core business.

Astrix Technology Group has an experienced team of expert informatics consultants that bring together technical, strategic, regulatory and content knowledge to provide the most effective solutions to problems faced by scientific organizations. Astrix provides experienced professionals knowledgeable about FDA regulations to conduct a thorough assessment of your laboratory informatics environment to identify data integrity risks. If you have any questions about Astrix Technology Group service offerings, or if you would like have an initial consultation with someone to explore how to reduce your compliance risk around data integrity, don’t hesitate to contact us.

The post Trends in FDA Data Integrity 483s and Warning Letters for Pharmaceutical Companies appeared first on Astrix.