Month: May 2024

Challenges in Validation

I often get asked why I moved from a broader senior role in Quality Management to a particular but deep role in Quality Engineering and Validation. There are many answers, but the biggest is that validation is poised for some exciting shifts due to navigating a complex validation landscape characterized by rapid technological advancements, evolving regulatory standards, and the development of novel therapies. Addressing these challenges requires innovation, collaboration, and a proactive approach to risk management and data integration. Topics near and dear to me.

Today’s Challenges in Biotech Validation

1. Rapid Technological Advancements

The biotech industry is experiencing rapid technological advancements such as AI, machine learning, and automation. Integrating these technologies into validation processes can be challenging due to the need for new validation frameworks and methodologies.

2. Regulatory Compliance

Maintaining compliance with evolving regulatory standards is a significant challenge. Regulatory bodies like the FDA continuously update guidelines for technological advancements.

3. Complexity of New Therapies

Developing novel therapies, such as cell and gene therapies, introduces additional complexity to the validation process. These therapies often require redesigned facilities and equipment to accommodate their sensitive and sterile nature. Ensuring sterility and product quality at each process stage is crucial but challenging.

4. Data Management and Integration

Managing and integrating vast amounts of data has become challenging with the increasing use of digital tools and platforms. Effective data management is essential for predictive modeling and risk management in validation processes. Organizations must adopt robust data analytics and machine learning tools to handle this data efficiently.

5. Collaboration and Knowledge Sharing

Validation processes often require collaboration among various stakeholders, including validation teams, developers, and regulatory bodies. Ensuring real-time communication and data sharing can be challenging but is essential for streamlining validation efforts and aligning goals.

6. Resource Constraints

Smaller biotech companies, in particular, face resource constraints regarding funding, personnel, and expertise. These constraints can hinder their ability to implement advanced validation techniques and maintain compliance with regulatory standards.

7. Risk Management

Adopting a risk-based approach to validation is essential but challenging. Companies must identify and mitigate risks throughout the product lifecycle, which requires a thorough understanding of potential risks and effective risk management strategies.

Let’s Avoid the Term Validation 4.0

Let’s avoid the 4.0 term. We are constantly evolving, and adding a current ‘buzziness’ to it does no one any favors. We are shifting from traditional, paper-heavy validation methods to a more dynamic, data-driven, and digitalized process. Yes, we are leveraging modern technologies such as automation, data analytics, artificial intelligence (AI), and the Internet of Things (IoT) to enhance validation processes’ efficiency, flexibility, and reliability. But we don’t need buzziness, we just need to give it some thought, experiment, and refine.

Quality Agreements with Cloud Providers

Having a quality agreement with a cloud provider is crucial for several reasons:

Ensure Regulatory Compliance

A quality agreement helps ensure the cloud provider’s services and processes comply with relevant regulations and guidelines, such as GxP (Good Practice) requirements from agencies like the FDA, EMA, and MHRA. It defines the roles, responsibilities, and expectations for maintaining data integrity, security, and quality standards throughout the product lifecycle.

Delineate Responsibilities

Cloud services often involve complex technology stacks and multiple subservice providers. A quality agreement clearly delineates the responsibilities of the regulated company and the cloud provider, ensuring that critical activities like change control, incident management, data governance, and security controls are properly addressed and assigned.

Establish Service Levels

The quality agreement specifies the agreed service levels, performance metrics, and key performance indicators (KPIs) that the cloud provider must meet, such as application availability, support response times, data security breach notification timelines, and system performance. This helps maintain the required quality of service.

Enable Oversight and Audits

The agreement outlines provisions for initial qualification audits, periodic audits, and inspections by the regulated company to assess the cloud provider’s compliance with the agreed terms. It also defines processes for managing audit findings and corrective actions.

Ensure Data Integrity and Security

Addressing data-related requirements, such as data ownership, privacy, protection controls, retention, archiving, and disposal processes, is critical to ensuring data integrity and security throughout the data lifecycle.

Manage Third-Party Risks

The agreement establishes guidelines for the approval process and compliance requirements when the cloud provider uses subcontractors or third-party services, mitigating associated risks.

Contents

A quality agreement between a regulated company (customer) and a Cloud (SaaS, PaaS, IaaS) provider should cover the following key elements:

Roles and Responsibilities

Clearly define the roles, responsibilities, and obligations of both parties regarding:

  • Regulatory compliance (GxP, data privacy, security, etc.)
  • Quality management system and processes
  • Change control and release management
  • Incident and deviation management
  • Data integrity, backup, and recovery
  • Performance monitoring and reporting

Service Levels and Performance Metrics

Specify the agreed service levels and key performance indicators (KPIs) for:

  • Application availability and uptime
  • Support response and resolution times
  • Data security and breach notification timelines
  • System performance and capacity

Audits and Assessments

Outline the provisions for:

  • Initial qualification audits of the SaaS provider
  • Periodic audits and inspections by the regulated company
  • Processes for managing audit findings and corrective actions

Data Management

Address data-related aspects such as:

  • Data ownership and usage rights
  • Data privacy and protection controls (as per applicable regulations)
  • Data retention, archiving, and disposal processes

Subcontracting and Third Parties

Establish guidelines for:

  • Approval process for use of subcontractors/third parties
  • Ensuring subcontractors comply with the quality agreement
  • Communication of changes impacting the regulated company

Term, Termination, and Offboarding

Specify conditions for:

  • Initial term and renewal of the quality agreement
  • Termination rights (e.g., for non-compliance, data breaches)
  • Responsibilities during offboarding and data transition

The quality agreement should be a comprehensive yet pragmatic document that ensures the cloud solution meets the regulated company’s quality and compliance requirements throughout the engagement.

Component Manufacturers Validation Requirements

I recently got asked what a medical device component manufacturer’s validation requirements are. Here is my answer.

Component manufacturers play a crucial role in the medical device industry by producing various parts and components for proper functioning and assembly. Here are some key expectations and responsibilities of component manufacturers in the medical device sector:

  1. Quality and Precision Manufacturing: Medical device components often require high precision, accuracy, and quality to ensure patient safety and device efficacy. To meet these demanding standards, component manufacturers must adhere to stringent quality control measures, utilize advanced manufacturing techniques, and maintain strict tolerances.
  2. Regulatory Compliance: The medical device industry is heavily regulated, and component manufacturers must comply with relevant regulations and standards set by governing bodies like the FDA, ISO, and others. This includes maintaining proper documentation, implementing quality management systems, and ensuring traceability of materials and processes.
  3. Material Selection and Biocompatibility: Many medical device components come into direct contact with the human body or bodily fluids. Consequently, component manufacturers must carefully select biocompatible, non-toxic, and suitable materials for the intended application. They must also ensure proper sterilization and packaging to maintain sterility.
  4. Design and Engineering Support: Some component manufacturers offer design and engineering services in addition to manufacturing to assist medical device companies in developing new components or optimizing existing ones. This collaboration helps ensure that components meet specific performance, functional, and regulatory requirements.
  5. Supply Chain Management: Component manufacturers must have robust supply chain management systems to ensure the timely delivery of components to medical device manufacturers. This includes maintaining adequate inventory levels, managing logistics, and minimizing disruptions in the supply chain.

Yes, component manufacturers in the medical device industry are expected to validate their manufacturing processes to ensure the components they produce meet specified requirements and perform as intended.

  • Regulatory bodies like the FDA require that components critical to the safety and performance of medical devices be produced through validated processes. This helps ensure that components consistently meet quality standards.
  • Component manufacturers must perform Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) on their manufacturing equipment and processes.
  • Validation requirements apply to finished components and raw materials, sub-components received from suppliers, and any processes involved in producing the component. Traceability of validation activities throughout the supply chain is essential.
  • The level of validation required depends on the component’s criticality and risk to the final medical device. More stringent validation is expected for higher-risk components that directly contact the patient or are essential for device safety and efficacy.
  • The component manufacturer must maintain validation documentation such as protocols, test reports, and traceability matrices and provide it to the medical device company upon request for review and auditing purposes.

Quality and a Just Culture

It is fascinating that for all the discussion around quality culture, which borrows from Safety II and other safety movements/submovements, we’ve largely avoided using the term justice, which is so prevalent in certain areas of the safety world. One can replace quality with justice and talk about many of the same things.

Both attempt to realize Deming’s Point 8—to drive out fear—which I consider Deming’s most radical proposition.

We really should see them as building blocks. A just culture enables the open reporting and analysis of errors necessary for a quality culture to identify areas for improvement. The two cultures are complementary—a robust quality program requires psychological safety fostered by a just culture. However, a quality culture has broader aims beyond responding to errors or safety lapses. We cannot have a Quality Culture without a Just Culture.

Psychological safety creates an environment where staff can speak up, enabling a just culture. A just culture defines the balanced accountability approach for responding to errors and safety events. A quality culture is a broader concept that drives improvement across the organization, relying on the foundation of a just culture.

But I really wish we used the term justice more. Promoting justice is an activity I wish we took more seriously as a profession.

The State of the Analytical Lifecycle

There have been a lot of changes in the way pharma thinks of analytical lifecycles in the last few years. With changes in technology, new product modalities, ICH Q2(R2) and ICH Q14 being released in November 2023, and USP <1220> in 2022, it is fair to say we are all catching up with our analytical lifecycle programs.

Let’s discuss what I think are the four pivotal documents that provide direction.

ICH Q2(R2) and ICH Q14

ICH Q2(R2) and ICH Q14 are complementary guidelines that provide a comprehensive framework for the development, validation, and lifecycle management of analytical procedures used in the pharmaceutical industry.

ICH Q14 describes the scientific principles and risk-based approaches for developing and maintaining suitable analytical procedures throughout their lifecycle. It outlines the key elements and considerations for analytical procedure development, including:

  • Defining an Analytical Target Profile (ATP)
  • Knowledge management and risk assessment
  • Evaluating robustness and parameter ranges
  • Establishing an Analytical Procedure Control Strategy
  • Lifecycle management and post-approval changes
  • Multivariate analytical procedures
  • Real-time release testing

On the other hand, ICH Q2(R2) provides specific guidance on validating analytical procedures to demonstrate their suitability for the intended use. It covers various validation tests, methodologies, and evaluation criteria, such as:

  • Specificity/selectivity
  • Working range
  • Accuracy and precision
  • Robustness
  • Stability-indicating properties
  • Multivariate analytical procedures

In summary, ICH Q14 establishes the overarching principles and approaches for analytical procedure development. At the same time, ICH Q2(R2) focuses on the validation aspects to ensure the analytical procedures are fit for purpose and meet quality requirements throughout their lifecycle. The two guidelines are intended to be applied together, with ICH Q14 providing the framework for development and ICH Q2(R2) specifying the validation requirements.

USP <1220> Analytical Procedure Lifecycle and USP <1058> Analytical Instrument Qualification

USP <1220> Analytical Procedure Lifecycle and USP <1058> Analytical Instrument Qualification are closely connected and complementary guidelines that provide a comprehensive framework for ensuring data integrity and quality in analytical procedures throughout their lifecycle.

The key connections between USP <1220> and USP <1058> are:

  1. USP <1220> establishes the principles and requirements for managing the entire lifecycle of analytical procedures, from procedure design and development to retirement. It emphasizes the importance of defining an Analytical Target Profile (ATP) and implementing an Analytical Procedure Control Strategy.
  2. USP <1058> focuses explicitly on the qualification of analytical instruments that execute analytical procedures. It outlines the requirements for ensuring instruments are suitable for their intended use through proper qualification (Design, Installation, Operational, and Performance Qualification).
  3. The instrument qualification activities described in USP <1058> are critical to the overall Analytical Procedure Control Strategy outlined in USP <1220>. Proper instrument qualification as per <1058> helps ensure the quality and integrity of data generated by analytical procedures throughout their lifecycle.
  4. Both guidelines stress the importance of defining user requirements (ATP in <1220> and User Requirements Specification in <1058>) as the basis for procedure development and instrument qualification activities.
  5. USP <1220> requires ongoing monitoring and periodic requalification of analytical procedures, which includes re-evaluating the suitability of the analytical instruments used, as described in the Performance Qualification section of <1058>.

USP <1220> provides the overarching framework for holistically managing analytical procedures. USP <1058> focuses on ensuring the instruments used to execute those procedures are properly qualified and suitable for their intended use. The two guidelines work together to maintain data integrity and quality across the entire analytical lifecycle.

Complementary Approaches

USP <1220> Analytical Procedure Lifecycle is closely related to and complements the ICH Q2(R2) and ICH Q14 guidelines.

  1. USP <1220> aligns with the principles outlined in ICH Q14 for managing the entire lifecycle of analytical procedures, from design and development to retirement. Both emphasize defining an Analytical Target Profile and implementing an Analytical Procedure Control Strategy.
  2. The validation activities described in ICH Q2(R2), such as evaluating specificity, accuracy, precision, and robustness, are critical components of the Analytical Procedure Control Strategy required by USP <1220>.
  3. USP <1220> requires ongoing monitoring and periodic requalification of analytical procedures, which aligns with the lifecycle management approach promoted in ICH Q14 and the validation during the lifecycle section in Q2(R2).
  4. All these guidelines stress the importance of knowledge management, risk management, and a science/risk-based approach throughout the analytical procedure lifecycle.
  5. The instrument qualification requirements outlined in USP <1058> are an integral part of the overall Analytical Procedure Control Strategy described in USP <1220>, ensuring instruments are suitable as per ICH Q2(R2) validation principles.

In essence, USP <1220> provides a comprehensive framework for analytical procedure lifecycle management that incorporates and operationalizes the scientific principles and validation activities detailed in the ICH Q14 and Q2(R2) guidelines, while USP <1058> provides the roadmap for instrument qualification. These four documents establish harmonized best practices for analytical procedures from development through retirement.