When the FDA Describes a CAPA Program, Listen

Occasionally the FDA writes a Warning Letter that is a succinct lesson in what is important about a quality system. In this Warning Letter they masterfully describe what a CAPA Program is. As this one further describes how to deal with an inadequate cleaning program it is near and dear to my heart.

Deviation Review for CxO – Best Practice

Regulatory agencies have continually continued to make it clear that when a Contract Manufacturing Organization (CMO) or Contract Research Organization (CRO) experiences a deviation, the sponsor/Marketing Authorization Holder (MAH) has several key responsibilities:

Review the deviation: The sponsor must thoroughly review the deviation to ensure it was appropriately defined and investigated. This review is crucial as the sponsor cannot delegate their responsibility to ensure the drug product is safe, effective, and conforms to specifications and regulatory commitments.
Assess product impact: The sponsor should ensure that the CMO has properly assessed the impact of the deviation on the product. This includes evaluating whether the deviation affected material quality, safety, or efficacy.
Verify appropriate material control: It’s the sponsor’s responsibility to ensure the CMO has appropriately controlled the affected material and extended this control to any other potentially affected materials.
Make disposition decisions: Ultimately, the sponsor is responsible for deciding whether the product should be released, reprocessed, or rejected. This decision is especially critical if the deviation affected material in clinical trials.
Oversee corrective and preventive actions: The sponsor should understand how the CMO’s corrective and preventive action (CAPA) system operates and ensure appropriate measures are taken to prevent recurrence of the deviation.
Maintain oversight: While the quality agreement defines the CMO’s responsibilities, the sponsor retains 100% oversight, including executed batch record review, change control, and deviation review and approval.
Risk-based approach: For major or critical deviations, sponsors should employ a risk-based approach to assess the severity and potential impact.

To simplify the deviation notification process with a Contract Organization (CxO), sponsors and can implement several strategies:

Clear Communication and Documentation

Establish a Well-Defined Quality Agreement: Create a comprehensive quality agreement that clearly outlines the deviation notification process, including timelines, classification criteria, and reporting requirements.
Implement Standardized Templates: Develop and provide standardized templates for deviation reporting to ensure consistency and completeness of information.
Set Clear Notification Timelines: Agree on specific timelines for different deviation categories. For example, critical and major deviations should be reported within one business day.

Risk-Based Approach

Adopt a Quality Risk Management (QRM) Mindset: Approach the partnership with a focus on risk management, ensuring that both parties understand the potential impact of deviations on product quality and patient safety.
Calibrate Risk Classification: Align the deviation classification system between the sponsor and CxO to avoid discrepancies in severity assessment.

Streamlined Processes

Utilize Electronic Quality Management Systems: Implement digital tools to facilitate real-time reporting and tracking of deviations, improving efficiency and transparency. Yes, the sponsor should be taking a risk based approach to tracking deviations in their eQMS that captures the important sponsor/MAH decision making.
Define Clear Roles and Responsibilities: Clearly delineate who is responsible for each step of the deviation management process, from identification to reporting and investigation.

Training and Support

Provide Comprehensive Training: Ensure that CxO staff are well-trained on the sponsor’s quality expectations, deviation reporting procedures, and the use of any specific tools or systems.
Offer Ongoing Support: Establish a dedicated point of contact or support team to assist the CxO with questions or issues related to deviation reporting.

Regular Review and Improvement

Conduct Periodic Reviews: Schedule regular meetings to review the deviation notification process, discuss any challenges, and identify areas for improvement.
Encourage Open Dialogue: Foster an environment where the CMO feels comfortable reporting issues promptly without fear of punitive action.

I strongly believe that a CxO needs to implement these strategies (do not put it only on the MAH’s shoulders) as part of their client onboarding and management process to create a more efficient and effective deviation notification process. This approach not only simplifies the process but also ensures that critical quality information is communicated promptly and accurately, ultimately contributing to better product quality and regulatory compliance. Add some value and don’t make the sponsor beg for information.

Classification of Changes for GMP/GDP

Classification of change controls within change management is a common and widely accepted best practice. It stems from the requirement that change proposals as assessed from a risk perspective, where:

the level of rigor, effort and documentation is commensurate with the level of risk,
the risk assessments adequately evaluate the potential risks and benefits of changes to product quality, safety and efficacy, and
those risk assessments consider the potential risks and benefits to other products, processes and systems.

Classification for GMP/GDP changes itself is not a requirement, it is a guidance, best found in the PIC/S Recommendation “How to Evaluate and Demonstrate the Effectiveness of a Pharmaceutical Quality System in relation to Risk-based Change Management” (PI 054-1) which states in section 5.2 “Change Management procedures often require a risk-based classification (e.g. critical, major, minor) to be assigned to proposed changes as well as an impact assessment to be performed. The latter routinely determines the potential impacts of the proposed change on various items, such as product quality, documentation, cleaning, maintenance, regulatory compliance, etc. In some cases, especially for simple and minor/low risk changes, an impact assessment is sufficient to document the risk-based rationale for a change without the use of more formal risk assessment tools or approaches.”

The PIC/S tells us that these categories drive the amount of rigor a change control requires, which is a great reason to have them. We spend time creating and confirming our categories, and then we only need to perform more rigorous risk assessments on the big changes.

How should we build this risk-based classification system? There are four criteria that drive this:

Potential regulatory impact
Potential impact on the qualified and validated state
Potential impact on the ability to disposition and ship product
Complexity

I tend to use only two categories, defined like this:

Major has Significant Impact: Changes that have a considerable potential impact on the process, product quality, safety, or regulatory status.

Minor has Limited Impact: Changes that have minimal or no significant impact on the process, product quality, safety, or regulatory status.

Change Management is Bigger than Change Control So Think Beyond Individual Changes

For regulatory impact, it really is as easy as dividing things into the four categories. “Do, Report, and Do and Record are minors. “Do and Tell” are majors, and “Tell and Do are either majors or critical based on how you slice it.

When considering potential validation impact you’ll leverage your process risk assessments and your validated state to determine what is in that bucket. This is why I like a document like an operational control strategy because this tells me exactly what impacts my validated state and I can just it to form this category.

The potential impact on the ability to disposition and ship the product has me looking at what can impact the ability to release and get the product out the door, which is an important aspect of what we do. Remember, a shortage of products is a quality issue.

Complexity looks at how many processes and systems are impacted and how many functions and areas are involved. The more complex, the more formal risk assessment is required. For example, you might use groupings like this:

Low level of complexity

Requires actions from the change owner and the system owner’s department(s) only
Impacts 1 system
<10 document revisions (approximate)
<2 potential training audiences (approximate)

Higher complexity:

Requires actions from more than change owner and system owner
Impacts more than one system
>10 document revisions
>2 potential training audiences (approximate)

The where of making the classification also makes a difference. I recommend up front, agreed to by the change owner and quality and it then drives everything. Doing it just before approval really just decides who gets to approve the change control and whether it goes to CCRB or not.

These classifications can be loose guidelines; for example, a table that looks at the first three categories and then by complexity. Your rating depends on whichever Impact or Complexity is higher.

Impact of Change (regulatory, validation, product)		Complexity of Change
Minor	No risk to patient as assessed by SISPQ, product, or validated equipment or process AND No regulatory impact.	Limited impact to only one system/functional area AND Has defined process for implementation of change. (e.g. all action items are per defined procedures)
Major	Potential impact to patient or product SISPQ or validated equipment or process or compliance	Impacts multiple systems / functional areas OR Has defined process for implementation of change
Critical	High likelihood of impact to patient, product SISPQ or validated equipment or process or compliance	Impacts multiple systems / functional areas OR Implementation activities are not pre-defined or governed by formal internal system

Or we could try for something much more specific. The advantage of specific is any change owner can start making the determination. Something like this:

Change Category	Change Description
Manufacturing Processes	In-process labeling
	Changes to Process Control and Operating Parameters (tightening/shifting) within current batch record (does not impact established conditions)
	The addition of in-process or final product samples
	Changes to sample volume for in-process or finished product samples
	Addition of new ancillary equipment (e.g. no product contact, does not control process steps) to the process
Analytical Methods	Changes to the qualification of a critical reagent (i.e., in-house produced assay standards and controls)
	Use of an additional new instrument of the identical model and vendor
	Change in compendial method to comply with formal updates to compendia, provided it does not involve the widening of system suitability or acceptance criteria
	Equipment/instruments calibration, maintenance, and cleaning
	Changes to software or validated analytical spreadsheets that do not impact the current validated state of the method
	Movement of instruments from one location to another in the same room/lab
	Initial validation of analytical spreadsheets for use in calculation of data and results defined by a specific analytical method, provided it does not replace a worksheet in an SOP (if so, this change may be reportable)
	Changes to non-critical equipment or materials that allow “or equivalent” in current method, provided method re-validation is not required
Drug Substance or Drug Product Specifications/ Limits	Changes to the sampling plan involving changes to the number of extra samples or amount of sample provided to QC or CMO as appropriate.
Drug Substance or Drug Product Specifications/ Limits	Changes to the storage and/or shipping conditions of samples (except for stability vials)
Raw Materials/Com ponents	Compendial Specification Changes to meet Compendial updates
	Non-product contact filters
	Vendor increase or decrease in the number of items per shipping container, or the size of the shipping or outer container
	Changes to the vendor Certificate of Analysis (format change only)
	Changes in recommended expiration date and/or storage conditions of raw material
Finished Goods	Catalog Number changes to components
	Creation of label at contract manufacturing site for existing presentation (assuming ‘No’ other change to already approved label)
	Changing position of pharmacode on leaflet
Computer	When there is no validation impact
Facility, Utilities, Systems and Equipment (including Automation)	Equipment/instrument maintenance
	Decommissioning of equipment not classified as critical equipment
	Computer programming that affects non-production equipment
	Alarms (i.e., notification system for out of tolerances)
	Cleaning and Sanitization of Manufacturing facilities and non-product Contact equipment
	Upgrade of Application Software or operating system
	Alarm set point changes
	Creating user groups and modifying user group privileges
	Tuning parameter, adjustment to the gain, reset and rate of a PID controller
	Phase or sequence change that does not affect the function and performance
	Modifying a phase prompt or message (technical change)
	Addition of a graphic, adding or changing a non-static device to a graphic (technical change)
	Addition or changing to an interlock/permissive trigger
	Changes to alarm paging/notification functionality

Spend the time on your classification structure. You will use it to:

Determine level of risk assessment (major yes, minor no)
Determine approvals (minors can be as simple as change owner and quality)
Does this change require a CCRB? Only send majors.

Crowdstrike debacle, Three Brief Thougths

This is not an unexpected accident. It has happened before on a smaller scale. We’ve seen companies like Crowdstrike under-resource their system controls that should prevent this. There is probably a strong case for regulation here. Maybe the EU will do something.
Pharma companies should consider situations like the Crowdstrike incident in their business continuity plans. Plan for a week or more of what happened Friday.
While my flight was only delayed an hour, there were sure to be a lot of grumpy and angry-looking people at Sea-Tac and Logan. I really think if we didn’t have a dysfunctional Congress, we would have seen a real change in how the airline industry is regulated by now.

Idea Vaults

It is common for numerous meetings to go unrecorded, leading to the risk of losing valuable ideas that are dismissed. This can hinder the group’s ability to achieve its full potential, as revisiting past ideas has the potential to enhance overall performance. Forgetting is a significant barrier to generating innovative ideas; however, engaging in discussions about previous ideas can result in fresh insights. Fortunately, with the aid of chat windows, electronic whiteboards, and other virtual collaboration tools, it is possible to preserve past discussions effectively. This allows for easy access to previously overlooked ideas and facilitates thorough reviews, ultimately contributing to improved collaboration and innovation.

An idea vault is a tool or system that stores, organizes, and manages ideas for future use. This concept can be applied in various contexts, such as personal creativity, business innovation, and project management. Here’s a comprehensive guide on how to use an idea vault effectively:

Organizing Your Ideas

Ideas need to be curated to be of value:

Categorization: Group similar ideas together. Categories can be based on themes, projects, or types of ideas (e.g., story ideas, business concepts, marketing strategies).
Tagging: Use tags to make searching for specific ideas easier. Tags can include keywords, project names, or stages of development.
Prioritization: Rank your ideas based on their potential impact or urgency. This helps in focusing on the most promising ideas first.
Documentation: Provide enough detail for each idea so that you can understand and develop it later. This may include notes, sketches, diagrams, or links to related resources.

Using Your Idea Vault

With your ideas organized, you can now use your vault to enhance your creative and productive processes:

Idea Generation: Review your vault regularly to spark new ideas or find inspiration for current projects. Combining or modifying existing ideas can lead to innovative solutions.
Project Planning: Pull relevant ideas from your vault to create a solid foundation when starting a new project. This ensures that no good idea goes to waste.
Problem Solving: If you encounter a roadblock, your idea vault can provide alternative approaches or solutions you might not have considered initially.
Collaboration: Share your idea vault with team members or collaborators to gather feedback and build on each other’s ideas.

Maintenance and Updates

An idea vault is best used as a living document, which requires regular maintenance:

Regular Updates: Add new ideas as they come to you and update existing ones with new insights or developments.
Review and Cull: Periodically review your vault to remove outdated or irrelevant ideas. This keeps your vault focused and manageable.
Track Usage: Mark ideas that have been used or developed to avoid duplication and to keep track of your creative journey.

Blending Ideas

To make your ideas more interesting or unique, consider blending two or more concepts together. This can lead to unexpected and innovative outcomes. For example, combining elements from different genres or industries can result in novel solutions or creative projects.

By following these steps, you can effectively use an idea vault to capture, organize, and utilize your ideas, ensuring you and your team’s creative potential is fully realized.