Category: compliance

Leveraging Inspection Manuals for GMP Inspection Readiness

The various agency inspection manuals are critical tools for inspection readiness. I want to lay out where to find some of these manuals and then go deep into pre-approval inspections, focusing on data integrity.

European Medicines Agency

The European Medicines Agency (EMA) has established detailed procedures and work instructions for coordinating and conducting Good Clinical Practice (GCP), Good Manufacturing Practice (GMP), and pharmacovigilance inspections. Here are the key points regarding EMA’s inspection procedures:

GCP Inspection Procedures

  • EMA identifies applications for GCP inspections based on risk assessment criteria and exchanges information on shared applications with the FDA.
  • Inspections can be joint (conducted concurrently by EMA and FDA inspectors) or sequential (conducted separately by each agency).
  • EMA notifies the applicant/marketing authorization holder (MAH) and inspects sites about upcoming inspections through the IRIS industry portal instead of formal letters.
  • Applicants/MAHs must provide a signed statement accepting the inspection and granting direct access to documents and medical records.
  • Requested documents should be provided directly to inspectors in electronic format after consulting the reporting inspector.
  • After the inspection, EMA receives the draft inspection report, finalizes it with the inspectee’s responses, and publishes it in IRIS.

GMP Inspection Procedures

  • EMA coordinates GMP inspections based on risk assessment for marketing authorization applications, variations, and routine re-inspections.
  • Work instructions cover areas such as inspection announcement, fee calculation, product sampling/testing, and report circulation.

Pharmacovigilance Inspection Procedures

  • EMA has specific procedures for coordinating pharmacovigilance inspections and managing non-compliance notifications from MAHs.
  • Work instructions detail the inspection program creation, data entry in databases, and interactions with third-country inspectorates.

The EMA aims to harmonize inspection processes with the FDA and other regulatory bodies to streamline collaboration and information sharing while ensuring clinical trial subject protection and product quality.

FDA

The FDA Investigations Operations Manual (IOM) is the primary inspection manual used by FDA personnel when performing inspections and investigations.

The key points about the IOM are:

  • It provides comprehensive instructions, procedures, and policies for FDA investigators and inspectors to follow when conducting inspections, surveys, and investigations.
  • It covers inspectional activities for foods, drugs, medical devices, biologics, cosmetics, and other FDA-regulated products.
  • The manual details procedures for inspections of manufacturing facilities, sampling, import operations, recalls, consumer complaints, and other compliance activities.
  • It aims to ensure inspections are conducted consistently across FDA field offices and provide clear guidance to the industry on the FDA’s inspection approach.
  • The IOM is updated periodically to incorporate new laws, regulations, policies, and technological changes impacting FDA’s operations.
  • While not legally binding, the IOM represents the FDA’s current thinking and policies on inspections and investigations.

The FDA Investigations Operations Manual serves as the comprehensive inspection reference and procedure manual for FDA field staff carrying out the agency’s oversight and enforcement activities across all regulated product areas.

Pre-Approval Inspections

For new facilities, CPGM 7346.832, the FDA’s Compliance Program Guidance Manual for Pre-Approval Inspections (PAIs) of drug manufacturing facilities, is critical to spend time with. It outlines the objectives and procedures for FDA inspectors to evaluate a facility’s readiness for commercial manufacturing before approving a new drug application.

The key objectives of CPGM 7346.832 are:

  1. Assess if the facility has a quality system capable of controlling commercial manufacturing operations.
  2. Verify that the manufacturing processes, formulation, and analytical methods conform to the application details.
  3. Audit raw data integrity to authenticate the data submitted in the application.
  4. Evaluate the facility’s commitment to quality in pharmaceutical development (new objective added in 2022 revision).

The guidance instructs inspectors on evaluating the firm’s quality systems, process validation, data integrity, laboratory controls, change management, investigations, batch release procedures, and compliance with current Good Manufacturing Practices (cGMPs). It aims to ensure the facility can reliably produce the drug product described in the application.

Data Integrity

CPGM 7346.832 has specific requirements for data integrity audits during drug manufacturing facility pre-approval inspections (PAIs). Utilizing this document is an excellent way to evaluate your data integrity program.

The key points are:

  1. Objective 3 of the guidance is “Data Integrity Audit”—auditing and verifying raw data associated with the product to authenticate the data submitted in the application.
  2. Inspectors must audit the accuracy and completeness of data reported by the facility for the product. This involves verifying the factual integrity (data matches what was submitted) and contextual integrity (supporting data is complete).
  3. Inspectors should examine raw data, such as chromatograms, analyst notebooks, electronic data, etc., and compare it to the summary data in the application’s Chemistry, Manufacturing, and Controls (CMC) section.
  4. The data integrity audit should focus on finished product stability, dissolution, content uniformity, API impurities, etc.
  5. Inspectors must identify any unreported relevant data, data falsification, improper invalidation of results, or unexplained data discrepancies.
  6. Indications of data integrity issues include altered raw data, references to failing studies, discrepancies between samples, and missing records.

The data integrity audit aims to ensure the CMC data submitted to FDA is complete, reliable, and can be fully authenticated from the raw data at the manufacturing site. Robust data integrity is critical for the FDA to decide on the application’s approval.

FDA Revised MAPP Impact to Foreign Inspections

The FDA has updated its MAPP for staff, revising the “Understanding CDER’s Risk-Based Site Selection Model” (5014.1 Rev. 1). The update details how the FDA will prioritize inspections under the SSM and adds a risk factor for establishments in countries with a history of violations. This is a new risk factor for a region or entire country, whereas previously, mainly individual criteria such as site quality history, site type, and time since last inspection were used.

This is a fascinating addition, and I’d love to see the actual data on this risk factor. Anyone know if this can be FOIA’d? It would be interesting to see the difference between India and Mexico or even if they’ve subdivided the US.

Phase Appropriate – An Unpacking

There is no term more misused and misunderstood than “Phase Appropriate.” It is one of those terms that just about everyone involved in FDA-regulated industries has an opinion on and one where we all get tripped up.

What do we mean by phase?

Drug development can be divided into discovery, preclinical studies, clinical development, and market approval. 

Each one of these phases is further broken down.

It is also important to remember that certain activities may start in earlier phases. For example, for manufacturing, tech transfer, and commercial manufacturing can start in Phase 3 (and more and more these days even 2!).

A similar approach can apply to medical devices.

The GxPs – a brief definition

Phase Appropriate GMPs

A Review of Regulations

21 CFR 210.2(c)An investigational drug for use in a phase 1 study, as described in § 312.21(a) of this chapter, is subject to the statutory requirements set forth in 21 U.S.C. 351(a)(2)(B). The production of such drug is exempt from compliance with the regulations in part 211 of this chapter. However, this exemption does not apply to an investigational drug for use in a phase 1 study once the investigational drug has been made available for use by or for the sponsor in a phase 2 or phase 3 study, as described in § 312.21(b) and (c) of this chapter, or the drug has been lawfully marketed. If the investigational drug has been made available in a phase 2 or phase 3 study or the drug has been lawfully marketed, the drug for use in the phase 1 study must comply with part 211.
FDA Guidance CGMP for Phase 1 Investigational Drugs
EMA/INS/GMP/258937/2022Guideline on the responsibilities of the sponsor with
regard to handling and shipping of investigational
medicinal products for human use in accordance with
Good Clinical Practice and Good Manufacturing Practice
Eudralex Volume 4 Annex 13Investigational Medicinal Products
ICH Q10 Diagram of the ICH Q10 Pharmaceutical Quality System Model (Annex 2)

What Activities are Phase-specific for the GMPs

Phase 1:

  • Critical quality attributes identified with safety Critical Quality Attributes (CQAs) clearly documented
  • Process changes as information is accumulated
  • Controls for analytical methods

Phase 2:

  • Processes characterized and Production and Process Controls (PPC) identified
  • Analytical methods are qualified
  • Materials acceptance criteria
  • Critical vendors qualified

Phase 3:

  • Processes validated with Production and Process Controls (PPC) identified and controlled
  • Validation of analytical methods
  • Materials have been fully qualified and tested upon receipt as appropriate

What About the Quality System?

ICH Q10 clearly spells out the PQS requirements, breaking down into stages of Pharmaceutical Development (usually Phase 1 and earlier), Technology Transfer (usually phase 2), Commercial Manufacturing (which may start before approval) and Product Discontinuation. Q10 then lays out the expectations by these stages for the four key elements of:

  1. Process performance and product quality monitoring system
  2. Corrective action and preventive action (CAPA) system
  3. Change management system
  4. Management review of process performance and product quality.
 Pharmaceutical DevelopmentTechnology TransferCommercial ManufacturingProduct Discontinuation
Process Performance and Product QualityProcess and product knowledge generated and process and product monitoring conducted throughout development can be used to establish a control strategy for manufacturing.Monitoring during scale-up activities can provide a preliminary indication of process performance and the successful integration into manufacturing. Knowledge obtained during transfer and scale up activities can be useful in further developing the control strategy.A well-defined system for process performance and product quality monitoring should be applied to assure performance within a state of control and to identify improvement areas.Once manufacturing ceases, monitoring such as stability testing should continue to completion of the studies. Appropriate action on marketed product should continue to be executed according to regional regulations.
Corrective Action and Preventive ActionProduct or process variability is explored. CAPA methodology is useful where corrective actions and preventive actions are incorporated into the iterative design and development process.CAPA can be used as an effective system for feedback, feedforward and continual improvement.CAPA should be used and the effectiveness of the actions should be evaluated.CAPA should continue after the product is discontinued. The impact on product remaining on the market should be considered as well as other products which might be impacted.
Change ManagementChange is an inherent part of the development process and should be documented; the formality of the change management process should be consistent with the stage of pharmaceutical development.The change management system should provide management and documentation of adjustments made to the process during technology transfer activities.A formal change management system should be in place for commercial manufacturing. Oversight by the quality unit should provide assurance of appropriate science and risk based assessments.Any changes after product discontinuation should go through an appropriate change management system.
Management Review of Process Performance and Product QualityAspects of management review can be performed to ensure adequacy of the product and process design.Aspects of management review should be performed to ensure the developed product and process can be manufactured at commercial scale.Management review should be a structured system, as described above, and should support continual improvement.Management review should include such items as product stability and product quality complaints.
ICH Stage appropriate quality system elements

Together with ICH Q9, this sets forth a framework of building knowledge and risk management into all aspects of the system together with a robust issue management mindset. There are really three things driving this.

  1. Consistency in execution
  2. Document decision making
  3. Follow through

Some aspects remain pretty steady in all phases/stages, while others will grow as the organization develops.

The Difference Between Maturity and Phase Appropriate

People confuse phase appropriate with maturity all the time. Phase appropriate means doing the right activities in the right order. Maturity means the how is the most effective possible.

Quality Management Maturity (QMM) is the state attained when drug manufacturers have consistent, reliable, and robust business processes to achieve quality objectives and promote continual improvement. This is both composed of phase independent and phase dependent aspects.

Remember, a Quality Culture is the foundation that makes the rest of this happen.

Business Continuity Planning

The pharmaceutical regulations call, repeatedly for business continuity plans. For example, the FDA calls for fairly significant requirements for Medically Necessary Products:

Medically necessary drug products and their components are manufactured all over the world. An emergency situation anywhere in the world thus might affect the availability of drug products in the United States and result in drug shortages. Emergency preparedness for situations that could result in high employee absenteeism is an important goal for manufacturers of drug products and their components. For example, in an influenza pandemic, widespread human outbreaks of illness would be expected in the United States and around the world, resulting in widespread high absenteeism that could hinder normal production activities and cause shortages in the supply of drug products, packaging materials, and drug components. It is therefore vital for industry to prepare before an emergency situation occurs and to develop plans to ensure continuity of operations during emergencies (including, for example, an influenza pandemic, natural disaster, or personnel issue) that would prevent a significant portion of the work force from reporting. It is especially important for manufacturers of finished drug products to be aware of their suppliers’ and contractors’ responses to personnel shortages and, when appropriate, work with them to ensure the availability of high quality materials and services that contribute to the manufacture of MNPs.

FDA, Guidance for Industry Planning for the Effects of High Absenteeism to Ensure Availability of Medically Necessary Drug Products

You can find less definitive requirements throughout the various health authorities’ regulations and guidances.

So what do we mean by business continuity?

Business continuity is the holistic management process that ensures operations continue and that products and services are delivered at predefined levels (e.g. no shortages, no halt to an ongoing clinical trial). This approach is aligned with ISO 22301 Business Continuity Management Systems.

Business continuity management is an ongoing process based on the plan-do-check-act methodology that is made up of 4 key elements:

  • Emergency Action and Response Plans
  • Disaster Recovery Plans
  • Crisis Management Plans
  • Business Continuity Plans

Emergency Action Plans

An emergency action plan is designed to respond to an emergency with mitigating procedures to protect, secure and evacuate people to safety. This is more an OSHA thing; chances are your average Quality unit doesn’t end up owning it. Unless you have no HS&E unit, and then you write one.

This plan includes procedures for detecting, warning, and responding to specific potential emergencies such as fire, severe weather, earthquake, medical emergencies, workplace violence, and other potential threats.

Disaster Recovery Plan

Disaster recovery plans are designed to recover from a disaster, usually related to equipment, infrastructure, and information technology. Something big goes boom, how do you restore this vital support system or equipment as soon as possible and minimize downtime and loss of data. Very important for computer system lifecycle, disaster recovery plans should include specific plans for recovery functions, resumption strategies, critical personnel, equipment, services, and external and internal communications.

Crisis Management Plans

Crisis management is all about planning and mitigating situations that have risk, and are usually a lot of management of communications internally and externally. This includes with regulators, health care providers, etc. When we implement SOPs for health authority notifications we are engaging in crisis management planning.

Business Continuity Plans

Business continuity planning identifies and plans for disasters to events that could negatively an organization’s business functions, objectives, income, reputation, and ultimate survival. This planning takes place in advance of the potential disasters or events that could harm an organization. It takes potential disasters and events into consideration with their effects on suppliers, vendors customers, and the organization’s other stakeholders.

In a GxP environment, we are looking at the potential impact of disasters on drug supply and clinical study outcomes (amongst other key activities).

The BCP is all about minimizing the effects of the disaster or event on the organization and returning to normal operations as soon as possible.

These Plans are Interrelated

All four plans are interrelated and should be coordinated. The plans can be combined, but as there are usually very different owners they are often separated.

Documented Plans

The business continuity planning process should result in formal, documented plans that serve as a reference guide in the event of a disaster or event. The existence of the business continuity plans should be well communicated, with individuals with responsibilities having ready access and additional training.

Applying the Risk Management Process

The Business Continuity process should leverage existing risk assessments and sit around it.

Select Team

The team should be multifunctional and very knowledgeable about the organization’s business and the risks it faces. This should be a permanent team, not ad hoc, as this is a living process. You can always bring in ad hoc members for specific questions.

Define Context, Purpose, Scope

At a minimum you are tackling the disruption to product supply and cessation of critical GxP data but there may be other business requirements to tackle. Make sure everyone agrees on these.

Define Terminology

Make sure everyone is on the same page with just what disaster, event, crisis, stakeholder, and business continuity plan (and other important concepts) are.

Agree on the scales for likelihood and severity.

Critical Function Assessment

Identify the business functions that are sensitive to downtime, fulfill regulatory obligations and are vital for maintaining product supply.

Threat Assessment

Identify the threats to the performance of the critical functions.

Identify Hazards and Risks

There are three major categories of hazards:

  • Natural Hazards
    • Meteorological
    • Geological
    • Biological
  • Human-Caused Hazards
    • Accidents
    • Intentional acts
  • Technological Hazards
    • Information technology
    • Utility
    • Fire/explosion
    • Hazardous material
    • Supply Chain interruption

Utilize a risk matrix to assess the likelihood and severity of the identified hazards and risks.

Develop Business Continuity Plan(s)

After the hazards and risks have been identified, the impact understood and the risks assessed it is time to develop the business continuity plan (BCP). The BCP allows the organziation to survive the event or disaster with minimal disruption. The BCP focuses on mitigating the consequences of the event or disaster that could not be prevented. Recovery strategies for these cosnequences are determined, developed and become part of the BCP.

When many potential risks have been identified, use the risk score to prioritize.

BCPs cover management commitment, team ientification, team responsibilities, mitigation plans, recovery strategies, training, testing and evaluation and continious improvement. Basically the same thing any good plan does.

Mitigation plans are intended to lessen the negative effectis of an event or disaster.

Provide appropriate awareness training to everyone impacted, with more substantial trining to the BCP team.

Verify it periodically and ensure it is continues to be relevant.

Whenever relevant, procceduralize these BCP instructions.

The GxPs – a brief definition

Jargon is something we should work hard to avoid, and yet there is an awful lot of it we find difficult to let go. Right at the top is the GxPs.

GxP is a general abbreviation for the “good practice” quality guidelines and regulations. The “x” stands for the various fields, including the pharmaceutical and food industries, for example good manufacutiring practice, or GMP.

There are a lot of GxPs, though we tend to focus on 5(ish), depending on where you are.

We tend to argue a lot about them. Even to the GxP vs GXP. Or GPvP vs GVP. Or GdocP or GDP (so damn confusing, there is another GDP – Good Distribution Practices). Or if Good Storage Practice is its own body or part of the GMPs and GDPs. And…and…and.. The arguing can be fun.

The Five big ones in pharma and medical devices are GLP, GCP, GMP, GDP and GPvP. Some of the others like GACP are pretty intesting in their application.

Some like GDocP and GAMP are more specific threads that go across the GxPs.

By nature the GxPs are tied to the phase of the pharmaceutical pipeline.

The GxPs are all about ensuring compliance and are informed from a wide range of sources, starting with law and regulations.

Being in the age of globalization, there are many many sources to draw from.

This can also draw from beyond the health authorities (for example in the US USDA for GACP or the DEA for parts of the GDPs).

At the end of the day, GxPs answer to five important criteria.