CSV FDA Regulatory Expectations:

Warning Letters, Non-Compliance and Trends

Paul Smith

Global Strategic Compliance Specialist

paul_smith@agilent.com

April 2017

April 26, 2017

Confidentiality Label

1

Disclaimer…..

This presentation is intended to facilitate understanding and discussion of

the subject matter included. Statements of facts or opinions expressed

are those of the presenter and, unless expressly stated do not represent

Agilent Technologies. The views and opinions expressed within this

presentation are those of the presenter and should not be acted upon without

independent verification.

Agilent Technologies does not endorse or approve, and assumes no

responsibility for, the content, accuracy or completeness of the information

presented.

What is This ?

Are Your Technical

Controls Good Enough ?

A Chromatogram without

Meta Data, is like this

photograph……

Only part of the of the picture !

Context of any Question…..

Part of a Loft Ladder

Securing Mechanism.

There are 2 catches……….

One of them, stops

the “top part” of the

ladder from sliding

down…… !!

Contents

• Regulatory Action - Monitoring…………………..……………..……..

• GXP Regulations…..…………………………………………………………..…..

• Evidence for Trends in DI….……………………..……………….

• Questions………………………………………………………..….……….……….………..

• Appendix - Additional Slides………………………..……….

Internal

Hyperlink in

Presentation

External (web)

Hyperlink in

Presentation

Navigation Tools

Link to Contents Page

A Suppliers Perspective………

Regulatory ActionMonitoring Observations

Example - FDA Warning Letters

Search

Pro-active

Notification…

Browse…..

A

B

Scroll Down…

• Subject

• Date….

For CFR Search

Use FDA CFR

Terms – from FDA

483 Annual Summary

Sheets !

Web Page – Key Words

ucm401451

Use this approach to Look for

Key Words – Relevant to Your Search !

Open Any Web Page (Including FDA Warning Letter)

Use “Ctrt F” – to Find Key Words:

FDAWarningLetters:

Detailed (Data Integrity) Remediation……

A

B

ucm521098

C

FDA Warning Letter

Recommendations…….

Investigate Extent

Risk Assessment

Management Strategy

See Appendix for

Breakdown of A, B & C

Analysts Skills for Some FDA Laboratory Audits….

ucm522801

“The quality control manager directed employees to stand shoulder-to-shoulder,

barring our investigator from accessing portions of the laboratory and the

equipment used to analyze drugs for U.S. distribution.”

ucm360484

FDA Guidance for Industry[ Circumstances that Constitute Delaying, Denying, Limiting, or Refusing a Drug Inspection]

GXP Regulations

Applicable GXP Regulations….

Users

Generally

Old

Users Knowledge

General Guidance

Interpretation – Old

Regulations

Where Product / Service

is “Made” / Developed

Where Product / Service

is Sold

Applicable RegulationsExport ?

Regulations

• Guidance

• Regulations

(GXP Laws – e.g. CFR)

• Pharmacopeia

• 21 CFR 211 (Drug Product)

• EU GMP Part 1

• EU GMP Part 2 / ICH Q7

• EU GMP Annex 11

• GAMP 5

• GAMP 5 Good Practice Guides

• General Principles of Software

Validation

• FDA Guidance for Industry

• PIC/S

• Data Integrity Guidance

Manage

Auditor

Expectations !

[Variation]

“Paper is Best” !

“Paper is High Risk” !

Resource…

Chapter 4

Applicable GXP

Regulations and

Guidance for CSV

GAMP 5

GAMPGood Practice Guide

GAMP Category 5

USP <1058>

Risk Based Thinking

Risk by Categorisation (Life Cycle)

• Patient Safety

• Product Quality

• Data Integrity

GAMP Category 3/4

Commercial Instruments

[A, B, C]

New GAMP Guide:

Data Maturity Model….. (to consider…)

See Guide for Further Details of Data Integrity Maturity Levels

Example FDA Warning Letters - Software

Change in FDA Audit Focus – Risk Focus

Example – 21 CFR 211.22(d) – Warning Letters

2005 - 2010

Linear trend upwards

For Warning Letters

That include:

21CFR211.22(d)

2010 - 2016

Declining Trend

For Warning Letters

That include:

21CFR211.22(d)

Procedures Not in Writing

Access to Regulatory Non-Conformance DataPublic Domain – Web Search

FDA Warning Letters

Eudra Non-Conformances

FOA Request / SubscriptionAdditional FDA Data:

• FDA 483 Files

• EIR

Inspection Tracker

0

100

200

300

400

500

600

0 20 40 60 80 100 120

Days

Fro

m A

ud

it E

nd

to

Is

su

e o

f F

DA

Wa

rnin

g L

ett

er

All HPLC Related FDA Warning Letters

HPLC Related FDA Warning Letters (97) - Days to Issue Warning Letter

Performance: Days from “Event” to Completion - Good Enough ?

1.5 Years !

ucm465626

18

2005

38

556

518

“Data” stated 28 times…..

5th March 2017

Days After Audit for FDA to Issue Warning Letter (HPLC)

HPLC Related Warning Letters (all 107)

Days t

o Issu

e

Greater Regulatory Collaboration….. Data Integrity

Regulators Collaborate….

They Share What they Find – Quickly!

Examples of

Regulatory

Focus Areas

• Data Integrity

• Contamination

• Injectable / Sterile

EudraGMDP – Non-Compliance Example – China 107 (Jan. 2012 to Present)

Export toDate Range Search (Only)…..

(Hyperlink !)

Part 3 - Concise InformationData – On-Line

http://eudragmdp.ema.europa.eu/inspections/gmpc/searchGMPNonCompliance.do

• Additional Date Fields

• No Hyperlinks

• All (Web - 10 links per page)

Eudra GMDP – Total Eudra Non-Conformances by Country

0

5

10

15

20

25

30

1 1 1

3 32

25

3

12

11

2 21 1

5

1

13

3

26

Eudra GMDP - Number of Non-Conformances Issued by Country

10th March 2017

Eudra GMDP – Total Qualification / Validation by Country

10th March 2017

Eudra GMDP - % of Non-Conformances - Validation / Qualification

10th Mar. 2017

49 % - Average

Within the broad classification used, only 2 out of 107 non-conformances

reference Software, and data integrity related (HPLC and IR).

Eudra GMDP Data Base (Top 15 - 1st January 2012 to 3rd December 2016)

Increasing

Constant

Decreasing

Variable

MHRA (UK) Non-Conformance Data (2015 – 2016)

78 Pages 100 Pages

Annex 11• Data Integrity

• User Permissions / Access

Annex 11• Data Integrity

• Data Backup

• User Permissions / Access

2015 Summary

2016 Summary

Software Updates - Data Integrity Analysis and Action….

Sequential

Model

• Analyse / Fix

“In-House” 1st

• In Isolation

• Delays “Solution”

Collaborative

Model

• Include Supplier

in Analysis….

• Include Supplier

in Solution

Data Integrity

“In-House”

Supplier / Service

Provider

• Software

• Products

• Services

• Workflow Mapping

• Data Integrity Risk

• Data Analysis

• Corrective Action

• Workflow Mapping

• With Supplier

• Solution with Customer

• Customer Requirements

Role of Risk in Review of Supplier Quality….

Procedure

or

Risk

Perception

Low (Commodity)

High (Unique)

• ISO Certification

• Questionnaire

• Physical Audit

The quality of your

Supplier Evaluation Process

Impacts:

The Quality of Future

Decisions – when leveraging

Supplier “Activity”

[Without Additional Justification (cost)]

Supplier Quality – A Time to Re-Think Evaluation ?

Supplier

Quality[Impact of Approval]

ISO Certification Quality Agreement

Quality Audits

KPI / Metrics

• Manufacturing Biased !

• For Service Providers(vs Legal T&C Approach)

• 9001:2015 Revision(Incorporating Risk Based Thinking)

3 Year Transition,

Risk = Effect of Uncertainty)

• Scope of Accreditation

• Leverage ISO Escalation

• Contract Performance…..

• Role of Supplier Metrics ?

• Does Supplier train

their staff in DI ?

• Supplier DI Audits

• Supply Chain for Parts

Questionnaire

• Up to 60 % can be N/A !

• Risk of Tick Box

Thinking (QBTB !)(Quality by Tick Box)

More Non-Conformance

Trends………

Evidence for TrendsIn Data Integrity

MHRA – Most Cited Deficiency Groups (Top 10)

April 26, 2017

Confidentiality Label

33

Ranking GMP GroupCritical Major Others

2015 2016 2015 2016 2015 20162015 2016

1 1 Quality Systems 27 38 293 449 555 772

N/A 2 Sterility AssuranceN/A 34 N/A 190 N/A 162

6 3 Production 0 20 161 191 357 543

2 4 Complaints & Recall 10 11 25 80 94 110

N/A 5 Qualification /

Validation

N/A 10 N/A 123 N/A 232

7 6 Premises & Equipment 0 9 107 113 311 464

5 7 Computerised

Systems

1 9 21 44 19 120

9 8 Personnel 0 8 41 42 95 150

3 9 Documentation 9 2 138 166 372 646

4 10 Quality Control 4 2 26 42 136 192

Example FDA Warning Letters………..

From FDA 2017 Listhttps://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm550326.htm

• OOS

• OOS Management

• Computer Control

• Disregard - OOS Impurity Data

• Investigation – Unknown Impurity Peak

• Audit Trail Deletion ….. HPLC / GC / UV-Visible

ucm546319https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm546319.htm Feb. 24 2017

• Water Purification

• Documentation

• Analytical Method Suitability

• Critical Deviations

• River / Farm Water - Microbial Count

• Found in Bin Bags - CAPA / Document Review

• Contract Analysis – Method Validation Responsibility

• HPLC - Deviations / Re-Processing / CAPA

ucm545454 https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm545454.htm Mar. 2 2017

Example FDA Warning Letters………..

From FDA 2017 Listhttps://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm550326.htm

• Sterile Manufacture

• CAPA

• Data Integrity

• OOS

• Lab Controls 211.160 (b)

• Validation of Sterile …. 211.113 (b) Smoke Studies / CAPA

• Computer Control ….. 211.68 (b) Deletion of Tests

• Complete Data 211.194 (a) OOS

ucm546483 https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm546483.htm Mar. 10 2017

• OOS

• Computer Control

• Invalidated – 101 out of 139 OOS Results – 211.192

• Audit Trail Deletion….. Excuses (Power / Instrument….)

System Error Messages (and warning letter wording)

ucm550326 https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm550326.htm Apr. 3 2017

Change in Focus: FDA HPLC Warning Letters

India Largest: 41 % of HPLC Warning Letters

2011 to 2015

0

5

10

15

20

25

30

35

40

45

11

2 20

41

4

0

11

0

42 2

20

% of FDA HPLC Warning Letters (Country)

0

10

20

30

40

50

60

70

80

11

0 04 4

04

04

0 0 0

75

% of FDA HPLC Warning Letters (Country)

USA Largest: 75 % of HPLC Warning Letters

2005 to 2010 Country

Change in Regulatory Focus: FDA HPLC

Fewer “Technical” Reasons

Data Integrity Largest

2011 to 20152005 to 2010 Cause

Range of Reasons

Calibration / Qualification Largest

0

5

10

15

20

25

11

21

4

7 7

21

25

4

0 0 0

% "Cause" of FDA HPLC Warning Letters (2005-2010)

0

10

20

30

40

50

60

70

0

60

0 26 8

4 2 2

15

0

% "Cause" of FDA HPLC Warning Letters (2011-2015)

Care When Interpreting Warning Letters…..

ucm528590

When reading a Non-Conformance report such as an

FDA Warning Letter:

• The “real problem” is unknown – only the use of the software is non-compliant

• Data Integrity “Dominates” non-compliance data (very little about software validation)

• Lack of Technical Controls (e.g. 21 CFR Part 11) ?

• Technical Controls not Implemented ?

• Lab. Sharing a Licence ?..etc. (e.g. “Root Cause” not known)

Regulators - Qualification Focus – 483 Via Subscription Service

FDA 483 Report – Pharmaceutical Company in Germany - 2016

Observation 1 – Most Important !

Approval of OQ – Regulatory Focus

Data Integrity – of Qualification

Time to Review / Update Instrument Life Cycle Process

“New” USP General Chapter

<1058> (Analytical Instrument Qualification)

Is Effective From August 2017….

USP <1058>

Impact of Data Integrity (DI) on USP Data Quality Triangle

Data Quality Triangle[From USP <1058>]

Instrument

Method

Run

Control

Samples

Usage

Usage

Method

Instrument

Instruments & Systems

Analytical

Procedure

Analysis

Foundation:

• Culture

• DI Policy

• DI Training

• DI Governance

• LeadershipAdapted From Bob McDowall

ECA Data Integrity Presentation.

Review Your Software / Instrument Life Cycle Process………. • Work with your Vendors /

Suppliers…..

• Review Your Life

Cycle Process • New GAMP Guide

• USP <1058>

• Data Integrity Will Dominate

Regulatory Inspections

• Quality Agreements(historically KPI / Metrics “driven”)

Data Integrity…. (Still Dominates)

• Collaborate….

Appendix - Additional Slides

Appendix Contents

• WebEx – Demystifying Software Validation……………………………

• Example – Warning Letter Trend……………………………………………...

• Evidence – Risk Based Audit Focus………………………………..……..

• Infrared – Data Integrity Example……………………………………………..

• Paper Vs Electronic………………………………………………………….

• FDA – Data Integrity Remediation ……………………………………………….

• Ron Tetzlaff – Data Integrity Video Link …………………………….

• Data Integrity – Table of Guidance ……………………………………

• Real World – Data Integrity Categories……………………………….

Demystifying Software Validation – Educational WebEx

http://www.agilent.com/en-us/video/demistifying-software-validation-2017

Example – Warning Letter Trend…. (Manipulation Vs Consultant !)

Implications for Risk Based Auditing ?

Regulatory audits focus on high risk areas, including:• Data Integrity

• Sterile Manufacture

• Contamination

R² = 0.83

0

5

10

15

20

25

30

35

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

"Data Integrity"

“Trial Injection”

“Environmental

Monitoring”

“Cleaning

System”

It’s Only an Infrared !

Sample

FT-IR Sample

Preparation

• ATR

• Nujol Mull

• KBr Disk

• Film … Etc.

Sample

Preparation

Influences:1. Appearance

2. Variability [Skill]

3. Quality of Spectrum

Infrared

SpectrumSpectrum

ComparisonResult

Spectral

Comparison:

1. Electronicallyor

2. Using Print Outs[Reference material or Spectra]

Spectrum Quality:[of the sample preparation – not the identification]

1. Is the Quality of the sample

prep. good enough ?

2. How Managed / Documented ?

[OOS for sample prep. or procedure explaining

poor spectrum quality & how documented]

Validation[for intended use]

Instrument Performance:[How Do They Manage It ?]

1. Wavenumber [Accuracy]

2. Resolution [of Instrument]

3. Interference [contamination or water vapour]

4. Reproducibility [of Spectra – JP]

5. % T [Scale – Not Linear]

6. EP / JP / USP / IP / CP .. Etc.

Spectra – Do They:

1. Saved Electronicallyor

2. Define Print Out as Raw Data

Reference Spectra:

1. Approval of FT-IR Identification Test

2. Management of Suitability[of the Reference spectra & Materials Used]

Differences:

1. How Managedand

2. Documented[What level is significant]

Training[& SOP]

File Management:

Can Files Be:

1. Re-named ?

2. Manipulated ?

3. Deleted ?

Only compare spectra recorded

under the “same” conditions

[equivalent scan and sample preparation

defined by Pharmacopeia Requirements]

Technical Control [in the software]

Fundamentals: Paper Vs Electronic

Paper Vs.

Electronic[Records]

Greater Risk More Secure

Electronic

Paper

• Technically compliant (e.g. with 21 CFR part 11, audit trail “on”)

• Harder to manipulate (e.g. audit trail records changes)

• Manipulation easier to detect (e.g. recorded in the audit trail)

Procedural Control [around the paperwork]

• Assumes “following instructions / procedures”

• Easier to manipulate (e.g. change paper & photocopy)

• Manipulation harder to detect (e.g. no audit trail)

1. Direct Observation – at the time they do the work

2. Signed / Dated – paper records / protocols / forms / reports

3. Electronic Signatures – in software / audit trail

Need Both !

Need This

Don’t Share Passwords !

FDA Remediation

A Investigate Extent

B Risk Assessment

C Management Strategy

Interview: Current / Former Employees….. Root Cause

Extent…. Report All Deficiencies

Deeper Investigation of Breaches…… 3rd Party

Investigation Protocol / Methodology……… Scope

Impact of Data Integrity Lapses…… On Drug Quality

Detailed Corrective Action…… to Ensure

Comprehensive Description…… Root Cause

Interim Measures …… Actions

Long Term Measures…… Actions

Report…… Status

Reliability

Completeness

ucm521098

5 Management Misconceptions about Data Integrity – YouTube Video

1. 1:09 Limited to Fraud / Falsification (ALL DI, Including Error)

2. 2:07 Trust People – to Follow Procedure (Limitations on Procedural Control)

3. 3:35 “NIMBY” – It Won’t Happen Here…. (Over Confident – Don’t Know What People Do !)

4. 5:17 Root Cause = Human Error (Symptom, not Cause !)

5. 6:33 Data Integrity is New

A Lot of Data Integrity Guidance (too much ?)…..

Guidance Date Link Comments…..

FDA – Inspection of Pharmaceutical Quality Control Labs. 1993

Data Integrity is not “New” !FDA – PAI (Compliance Program Guide 7346.832) Nov. 2012

MHRA – GMP Data Integrity Guide Mar. 2015 2nd Edition. First Guidance ?

WHO – Draft Good Data and Record Management… Sep. 2015

FDA – Draft Data Integrity Guidance Apr. 2016 Reference to 50 CFR’s….

WHO – Good Data and Record Management Practice Jun. 2016 Comprehensive

MHRA – Draft GxP Data Integrity Guidance Jul. 2016 Implementation Time Line…..

PIC/S – Draft Good Practice for Date Integrity Management Aug. 2016 Japan / Korea ?(PIC/S members – non PICS GMP)

EMA – Data Integrity Questions and Answers Aug. 2016

SFDA – Drug Data Management Standard Aug. 2016 ? Translation in preparation

ECA – Draft Governance and Data Integrity Guide Oct. 2016 Governance……

Every Regulator…… ? ………….. ???

What Happens in the “Real World”

No. Category Classification Example Contribution

1Lapses of

ConcentrationMistakes

• Forgetting….. (supplemental

information…..)

• Manual Activity

• Poor Checking

2 MistakesHuman

Error• Transcription Error

• Manual Activity

• Complexity

• Poor Design

3Violation: Situational

Unplanned• Restart………

(after system crash….)

• Unplanned Event

• Training

4Violation: Standard

Poor

Workflow

• Change Control (ineffective – “drift” of

Method)

• Change Control

• Poor Design

5Violation: Optimised

Planned

Workflow

• Deviation Mgt. (make a change to

avoid deviation)

• Avoiding Extra Work

• Culture

6Intentionally

MisleadingFraud

• Intentional Data

Manipulation

• Culture

• Lack of Governance

Adapted from Guy Wingate Presentation (25 Years of GAMP)

What Happens in the “Real World”

Concentration

/ Mistakes

Human

Error

Unplanned

Events

Poor

WorkflowPlanned

WorkflowFraud

Design

Culture

LeadershipWhat If – Error Proof “Design”

• Template - Design

• Training – in Procedures

• Training – in Data Integrity Ineffective - Management

• Awareness – of what happens

• Ignorance – of Data Integrity

• Overly - Defensive

• Unacceptable - Thinking

• Workflow – of Data Perfect – Too Good

• Attitude - to “Patient”

• Expectations – No Errors

• Incentivization…..

Intentional Accidental

See

Ron Tetzlaff

Video Link