Being Small and Speciality Does not Exempt from the GMPs

Specialty Process Labs LLC is a specialty API manufacturer of natural desiccated thyroid. Which is, yes, what you might think it is. And as far I can tell, mostly ships direct to compounding pharmacies and patients. This month they got a warning letter.

The warning letter highlights:

  1. Failure to validate the process
  2. Failure to test to specification
  3. Failure to exercise sufficient controls over computerized systems

All three of these observations make me rather glad my loved-ones take levothyroxine and I am deeply aware of all the difficulties in that drug supply.

Focusing more on the computer system, it is an unsurprising list of bad access controls, change controls not controlled, and failure to validate excel spreadsheets.

The last observation really stood out to me:

Manufacturing master batch records held in electronic form on your company’s shared drive do not have restrictions on user access. Your quality unit personnel stated that there are no restrictions for any personnel with login credentials to access new and obsolete master records. Our investigator observed during the inspection multiple versions of batch records were utilized for API lot production.”

This is truly a failure in document access and record management. And it is one I see a lot of places. The core requirement here is really well stated in the PIC/S Data Integrity Guidance requirement 8.4 “Expectations for the generation, distribution and control of records.” Please read the whole section, but pay close attention to the following:

  • Documents should be stored in a manner which ensures appropriate version control.
  • Master documents should contain distinctive marking so to distinguish the master from a copy, e.g. use of coloured papers or inks so as to prevent inadvertent use.
  • Master documents (in electronic form) should be prevented from unauthorised or inadvertent changes.
  • Document issuance should be controlled by written procedures that include the following controls:
    • details of who issued the copies and when they were issued; clear means of differentiating approved copies of documents, e.g. by use of a secure stamp, or paper colour code not available in the working areas or another appropriate system;
    • ensuring that only the current approved version is available for use;
    • allocating a unique identifier to each blank document issued and recording the issue of each document in a register; – numbering every distributed copy (e.g.: copy 2 of 2) and sequential numbering of issued pages in bound books;
    • where the re-issue of additional copies of the blank template is necessary, a controlled process regarding re-issue should be followed with all distributed copies maintained and a justification and approval for the need of an extra copy recorded, e.g.: “the original template record was damaged”;
    • critical GMP/GDP blank forms (e.g.: worksheets, laboratory notebooks, batch records, control records) should be reconciled following use to ensure the accuracy and completeness of records; and
    • where copies of documents other than records, (e.g. procedures), are printed for reference only, reconciliation may not be required, providing the documents are time-stamped on generation, and their short-term validity marked on the document

There are incredibly clear guidelines for these activities that the agencies have provided. Just need to use them.

Requirements on Privacy in Clinical Trials

Been thinking a lot recently of privacy in regard to clinical trials. As you do, I started with gathering some requirements together. Here is what I have:

Brief Standard IdentifierDescription of Industry StandardRegulation/Guidance/ Source
Subject Identification in Data SystemsThe business has SOPs to ensure that data collection instruments and databases utilize an unambiguous subject identification code that allows identification and linkage of all the data reported for each subject. Data tools and systems do not contain personally identifiable information, except the unique subject identification code to link data across the study.GCDMP – Data Privacy; ICH 5.5.5
Patient Diaries ReviewThe business has and utilizes SOPs to ensure that the Investigator site personnel review paper-based patient diaries prior to sending the diaries to Data Management to confirm that no personal identification information is present.MHRA 8.2.7
Confidentiality of Subject RecordsThe business utilizes formal procedures and practices to ensure that the confidentiality of records that could identify subjects is protected in accordance with the applicable regulatory requirement(s).ICH 2.11
Informed Consent Prior to Data CollectionThe business has a process to establish expectations with the site and confirm that informed consent is obtained from every subject prior to clinical trial participation and prior to processing clinical data. The process should provide direction for withdrawal and revocation of consents.ICH 2.9, 4.8.8, 6.5.3 21 CFR 50
Privacy and Personal Data Protection PolicyThe business has a Privacy and Personal Data Protection Policy and a Chief Privacy Officer/ Data Protection Officer to ensure compliance with EU GDPR and other country, local, and Independent Ethics Committee-required privacy, and data protection practices.US HIPAA EU 1995 Data Protection Directive 1995/45/EC EU GDPR 2016/679 Japan 2016 Act on the Protection of Personal Information- US Privacy Act
Privacy and Personal Data Protection Documented PracticesThe business has documented procedures, standards, documentation requirements, and responsibilities for defining and ensuring confidentiality, protection, and security of personal data (including but not limited to employee, client, investigator, and patient data) and applying Privacy by Design requirements into procedures that include: definitions of personally-identifying information descriptions of personal information collected the purposes for which it is collected the lawful basis (in the EU) for its collection/use the types of persons to whom it will be released the countries to which it may be transferred privacy and security safeguards the rights of individuals with respect to their personal information compliance monitoringUS HIPAA EU Data Protection Directive 1995/45/EC EU GDPR 2016/679 Japan’s Law Concerning the Protection of Personal Information – 2005; Japan Act on the Protection of Personal Information- 2016
 The business has documented procedures, standards, documentation requirements, and responsibilities for conducting Privacy Impact Assessments, including when they are implemented, or documentation regarding why they are not applicable.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Personal Data Processing, De-identification and PseudonymizationThe business has documented procedures, standards, documentation requirements, and responsibilities for enhancing privacy and protecting personal data, both at the time of determining the means for processing data and at the time of actual processing, by adherence to the data minimization principle (i.e., ensuring that only data needed for a clinical trial are collected from clinical trial subjects’ records), encryption at rest and during transit, de-identification and pseudonymization.   Where pseudonymization is deployed, the business has appropriate technical (e.g., encryption, hashing, or tokenization) and organizational (e.g., agreements, policies, privacy by design) measures in place to separate pseudonymous data from identification keys.EU GDPR 2016/679
Personal Data Capture and Data Flow ProceduresThe business has written procedures for documenting the data flow for the organization/for individual projects. The data flow comprises what personal data the organization holds, where it came from, and with whom they share it.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Individual Privacy Notice or ConsentEnsuring that individuals are informed of all required privacy provisions in Privacy Notice or Consent, including: their right to confirm if and how their data are processed, including the right to object to (or limit use of) processing and the right of erasure; plans for data retention; the right to receive a copy of their personal data and to have them transmitted to other organizations; and the complaint process.US HIPAA EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Support for Personal Data Subject RequestsReceiving, processing, and responding to Personal Data Subject Requests submitted by Data Subjects per their rights under GDPR, and/or assisting the Client to fulfill Client’s obligation to do so: right of access right to rectification restriction of processing erasure (“right to be forgotten”)data portability objection to the processing, or the right not to be subject to automated individual decision makingEU GDPR 2016/679 Directive 1995/45/EC
Privacy and Personal Data Breach ProceduresDetecting, reporting, and investigating personal data breaches, and communicating confirmed data breaches to impacted parties within timelines dictated by applicable regulations (72 hours for regulatory authority reporting) and agreements. Sponsor will be notified of any data breach in association with sponsor projects, including breaches at subcontracted vendors, according to pre-defined timing.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679
Privacy and Personal Data Protection TrainingThe business trains all individuals who have access to personal data on the policy and practices that ensure confidentiality, protection, and security of personal data.EU Data Protection Directive 1995/45/EC EU GDPR 2016/679

GMP Lab Warning Letter – A Baseline of Expectations

A February 2022 FDA Warning Letter to Accu Bio-Chem Laboratories provides a great baseline for what your audit programs should look at and what your own labs should focus on:

Throw in a good lab instrument qualification review, and supplier/raw materials management, and you have a pretty solid program.

FDA CDER Quality Management Maturity White Paper

FDA’s Office of Pharmaceutical Quality (OPQ) in the Center for Drug Evaluation and Research (CDER) recently published a white paper proposal on the development of a rating system to measure a firm’s quality management maturity (QMM)  as a way to mitigate drugs shortages and enhance the quality of finished drug products. These ratings would be publicly available. This is very aligned in thought to the recent NAS study recommendations in a paper commissioned by Congress.

This fits nicely within the recent draft guidance on metrics, and the two are definitely meant to fit together.

I am a big advocate of this work. I definitely want to see the particulars, but this is a long time coming and greatly needed. Frankly, the best way to make them happen is to require the QMM to be a factor in purchasing decisions for Medicaid/Medicare and the Veterans Hospitals (and more if possible).

The agency will be holding two workshops on quality management maturity, on May 24 and May 25. The first workshop will address CDER’s QMM program and the second will discuss quality ratings.

FDA Prescription Drug User Fee Renewals

I am not a huge fan of PDUFA. It puts the wrong cast on things. Fees are something I pay for a service, and it should put me in the driver’s seat (well except for airlines and everyone hates that). We tax for government services. Making the FDA dependent on pharma creates an imbalance in power that quite frankly shouldn’t exist.

The extent of statutorily required industry input in the drug regulation and reauthorization processes has increased as a result of the PDUFA reauthorization. The centrality of user fees to the modern FDA has led some observers to express concern that they have contributed to “corrosive capture” of the agency (i.e., a weakening of regulatory independence and of the ability of the agency to uphold traditional efficacy and safety standards) by shaping discourse about how drugs should be regulated or by enabling an unhealthy culture of closeness between the FDA and industry. Each successive PDUFA has required the FDA to be increasingly responsive to industry concerns.

The FDA plays a crucial role in protecting the health of the public while approving new treatments in a timely fashion. Thirty years of experience with user fees has shown that, in the face of inadequate public funding of the personnel budget of the FDA, increased funding by its egulated industries can indeed improve regulatory timelines. This increased speed has also raised questions related to the decisions being made and the growing reliance of the agency on financial support from the companies it regulates, as the user-fee model has fundamentally changed the way that the FDA interacts with industry. In a different political climate, adequate public funding in place of user fees would allow the FDA to continue its current performance levels while adding further confidence that the public remains the primary client of the FDA.