Section 711 of FDASIA and Regulatory Obligations

Too often, I see folks in pharma focus on 21 CFR Chapter 1, or at best all three chapters, maybe know the guidances and pay attention to little else. Unfortunately, that approach will often get one in trouble.

Section 711 of the Food and Drug Administration Safety and Innovation Act (FDASIA) amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) to enhance the safety and quality of the drug supply chain. Specifically Section 711 amends Section 501(a)(2)(B) of the FD&C Act by adding the following sentence:

“For purposes of paragraph (a)(2)(B), the term ‘current good manufacturing practice’ includes the implementation of oversight and controls over the manufacture of drugs to ensure quality, including managing the risk of and establishing the safety of raw materials, materials used in the manufacturing of drugs, and finished drug products.”

This amendment clarifies that current good manufacturing practice (CGMP) requirements for drugs include:

  1. Implementing oversight and controls over the entire manufacturing process to ensure quality.
  2. Managing the risks related to raw materials, other materials used in manufacturing, and finished drug products to establish their safety.

In essence, Section 711 expands the FDA’s CGMP authority to explicitly cover supply chain management and drug manufacturers’ oversight of their suppliers and contract manufacturing operations. It also allows the FDA to enforce supply chain control requirements during inspections.

The legislative history shows that Congress intended to significantly expand the FDA’s authority over the increasingly global drug supply chain through this provision. It allows the FDA to scrutinize how manufacturers select, qualify, and oversee suppliers of raw materials and contract manufacturers to ensure drug quality and safety.

Please note that the FDA gets this expanded authority without revising 21CFR. That’s how it works; Congress can do that. Will we eventually see some 21 CFR updates? I have no idea.

But what this does mean is that the FDA has the authority to:

  1. Inspect risk management for GMPs, and assume you have it. What does good risk management look like? The agency has adopted ICH Q9(r1) as guidance, so start there.
  2. Inspect your supplier management, which includes qualifying and overseeing suppliers and contract manufacturers.

I’ve started to receive regulatory intelligence that this is coming up in inspections. Expect to be asked for the risk management evidence and for supplier qualification and oversight evidence.

Aging in the Workforce – or Why All Those Years Matter

Source: https://flowingdata.com/2024/06/18/older-or-younger-than-the-population/

Wow, I’m older than a lot of people. When did that happen? (Shout out to my small cohort of fellow Gen-Xers!) So, in a bit of reflection, I want to discuss why I think aging in the quality profession is so critical.

The quality profession is an experience-heavy field. While formal education can provide some necessary theoretical knowledge, the practical skills required for the quality profession can only be mastered through extensive hands-on experience, practical application of skills, and the ability to adapt to real-world challenges.

Key characteristics

  1. Direct Experience: Students participate in activities that require them to apply what they have learned in a practical setting. An old adage is that you must do a job for three years before understanding it. However, you must keep going through the iterations since quality comprises multiple jobs. For example, my progress from deviation reviewer to eQMS implementation, to computer systems quality, to risk champion, to quality engineering, to change management process owner, to computer system implementor, to technology implementor, to validation quality, to operational excellence, to quality systems leader, to validation leader (and I am leaving a lot out). Layering and layering real experience again and again.
  2. Reflection: Reflection is a critical component of experiential learning. Most people don’t do that enough. The quality profession requires us to think about our experiences, analyze what we have learned, and consider how it applies to our work. Audits and inspections are interesting tools that can drive reflection when approached correctly.
  3. Active Participation: Quality professionals must be active agents in their learning process. They take initiative, make decisions, and are responsible for the outcomes of their actions. This active engagement helps to deepen their learning and develop critical thinking skills.
  4. Community Engagement: I joke about being able to tell what company some spent their formative years in. And that is not a good thing. Quality professionals need to seek out collaboration with the wider community members, often through professional organizations.
  5. Integration of Knowledge and Practice: Experiential fields bridge the gap between theoretical knowledge and practical application. Quality professionals must integrate what they have studied with real-world experiences, enhancing their understanding and retention of the material. And then do it again.

The quality profession is a dynamic and interactive learning environment emphasizing learning by doing, reflecting, and applying knowledge in real-world contexts.

Back Up and Recovery Testing

Backup and recovery testing are critical to ensuring data integrity and business continuity for critical computerized systems. They are also a hard regulatory requirement in our computer system lifecycle.

Part 11 (21 CFR 11.10 and 11.30) requires that:
“For the availability of computerized systems supporting critical processes, provisions should be made to ensure continuity of the systems in the event of an incident or system failure. This includes implementing adequate backup and recovery measures, as well as providing sufficient system redundancy and failover mechanisms.”

Part 11 also requires that “The backup and recovery processes must be validated in order to ensure that they operate in an effective and reliable manner.”

Similarly, Annex 11 requires that backup and recovery processes be validated to ensure they operate reliably and effectively. Annex 11 also requires that the validation process be documented and includes a risk assessment of the system’s critical processes.

Similar requirements can be found across the GxP data integrity requirements.

The regulatory requirements require that backup and recovery processes be validated to ensure they can reliably recover the system in case of an incident or failure. This validation process must be documented, including a risk assessment of the system’s critical processes.

Backup and recovery testing:

  1. Verifies Backup Integrity: Testing backups lets you verify that the backup data is complete, accurate, and not corrupted. It ensures that the backed-up data can be reliably restored when needed, maintaining the integrity of the original data.
  2. Validates Recovery Procedures: Regularly testing the recovery process helps identify and resolve any issues or gaps in the recovery procedures. This ensures that the data can be restored wholly and correctly, preserving its integrity during recovery.
  3. Identifies Data Corruption: Testing can reveal data corruption that may have gone unnoticed. By restoring backups and comparing them with the original data, you can detect and address any data integrity issues before they become critical.
  4. Improves Disaster Preparedness: Regular backup and recovery testing helps organizations identify and address potential issues before a disaster strikes. This improves the organization’s preparedness and ability to recover data with integrity in a disaster or data loss incident.
  5. Maintains Business Continuity: Backup and recovery testing helps maintain business continuity by ensuring that backups are reliable and recovery procedures are adequate. Organizations can minimize downtime and data loss, ensuring the integrity of critical business data and operations.

To maintain data integrity, it is recommended that backup and recovery testing be performed regularly. This should follow industry best practices and adhere to the organization’s recovery time objectives (RTOs) and recovery point objectives (RPOs). Testing should cover various scenarios, including full system restores, partial data restores, and data validation checks.

LevelDescriptionKey ActivitiesFrequency
Backup TestsEnsures data is backed up correctly and consistently.– Check backup infrastructure health
– Verify data consistency
– Ensure all critical data is covered
– Check security settings		Regularly (daily, weekly, monthly)
Recovery TestsEnsures data can be restored effectively and within required timeframes.– Test recovery time and point objectives (RTO and RPO)
– Define and test various recovery scopes
– Schedule tests to avoid business disruption
– Document all tests and results		Regularly (quarterly, biannually, annually)
Disaster Recovery TestsEnsures the disaster recovery plan is effective and feasible.– Perform disaster recovery scenarios
– Test failover and failback operations
– Coordinate with all relevant teams and stakeholders		Less frequent (once or twice a year)

By incorporating backup and recovery testing into the data lifecycle, organizations can have confidence in their ability to recover data with integrity, minimizing the risk of data loss or corruption and ensuring business continuity in the face of disasters or data loss incidents.

AspectBackup TestsRecovery Tests
ObjectiveVerify data integrity and backup processesEnsure data and systems can be successfully restored
FocusData backup and storageComprehensive recovery of data, applications, and infrastructure
ProcessesData copy verification, consistency checks, storage verificationFull system restore, spot-checking, disaster simulation
ScopeData-focusedBroader scope including systems and infrastructure
FrequencyRegular intervals (daily, weekly, monthly)Less frequent but more thorough
Testing AreasBackup scheduling, data transfer, storage capacityRecovery time objectives (RTO), recovery point objectives (RPO), failover/failback
ValidationBackup data is complete and accessibleRestored data and systems are fully functional

A Collaborative Learning Event I Might Run

To complete a thought on community of practices I did this weekend with “A CoP is Collaborative Learning, not Lecture” and “How I would Organize a Meeting of a CoP” I’m now going to build, from the group up, a collaborative learning event I would love to organize.

A little caveat: I really burnt out on professional obligations last year and have just started to peak my head out. So, it may be a little harder to turn this mad scientist dream into a reality. However, I think it is worth putting out as a thought experiment.

Theme and Scope

I’ve written a bit about the challenges to quality, and these challenges provide a framework for much of what I think and write about.

More specifically drawing from the “Challenges in Validation” focusing on the challenges of navigating a complex validation landscape characterized by rapid technological advancements, evolving regulatory standards, and the development of novel therapies.

This event would ask, “How do we rise to the challenges of validation in the next decade, leveraging technology and a risk management approach and drawing from the best practices of ASTM E2500, GAMP5, and others to meet and exceed changing regulatory requirements.”

Intended Audience

I go to events, and there are a lot of quality people, OR risk management people, OR computer systems (IT and Q) people, OR engineers, OR analytical method folks, OR process development people. Rarely do I see an event that looks at the whole picture. And rarely do I get to attend an event where we are sharing and blurring the lines between the various silos. So let us break down the silos and invite quality, IT, engineers, and process development individuals involved in the full spectrum of pharmaceutical (and possibly medtech) validation.

This holistic event is meant to blend boundaries, share best practices, challenge ourselves, and look across the entire validation lifecycle.

Structure

Opening/Networking (1 hour)

As people arrive, they go right into a poster event. These posters are each for a specific methodology/approach of ASTM E2500, ISPE Baseline Guides, FDA’s Guidance for Process Validation: General Principles and Practices, ICH’s QbD approach, and GAMP5. Maybe some other things.

These posters would each:

  • Provide an overview of what it is and why it is important
  • Overview of methodology
  • What challenges it overcomes
  • Lessons that can be applied
  • Challenges/problems inherent in the approach

These posters would be fun to develop and take a good squad of experts.

After an hour of mingling, sharing, and baselining, we could move to the next step.

Fish Bowl Debate (45 minutes)

Having earlier selected a specific topic and a panel of experts, hold a fish bowl debate. This would be excellent as a mock-inspection, maybe of a really challenging topic. Great place to bring those inspectors in.

During a fish bowl, everyone not in the center is taking notes. I love a worksheet to help with this by providing things to look for to get the critical thinking going.

Future Workshop (1.5 hour)

  1. Introduce the activity (10 min)
  2. Ask participants to reflect on their present-day situation, write down all their negative experiences on sticky notes, and place them on the wall. (15 min)
  3. Invite participants to list uncertainties they face by asking, “In your/our operating environment, what factors are impossible to predict or control their direction?” (5 min).
  4. Prioritize the most critical factors by asking, “Which factors threaten your/our ability to operate successfully?” (10 min)
  5. Based on the group’s history and experience, select the two most critical and most uncertain (X and Y). (5 min)
  6. Create a grid with two axes—X & Y—with a “more of <— —> less of” continuum to represent the factor on each axis. For example, suppose new modalities are a critically uncertain factor for the X-axis. In that case, one end of the X-axis is many new modalities, and the other is no new modalities. Repeat for the Y factor and axis. For instance, if patent protection is a critical factor, one end of the Y axis is strong patent protection, and the other has no patent protection. Four quadrants are created. (5 min)
  7. Break into four groups, and each group creatively names and writes a thumbnail scenario for one of the quadrants. (10 min)
  8. The four groups share their scenarios briefly. 2 min. each
  9. Participants fantasize about the desired future situation. How would the ideal situation be for them? At this stage, there are no limitations; everything is possible. Write on stick notes and apply them to the most likely quadrant. (10 minutes)
  10. Do a n/3 activity to find the top ideas (enough for groups of 4-5 each) (3 min)
  11. Explain the next activity (2 min)

Lunch (1 hour)

Open Space Solution (1 hour)

For each top idea, the participants vote with their feet and go to develop the concept. Each group is looking to come up with the challenge solved, a tool/methodology, and an example.

Review the Results of the Open Space Solutions (1 hour)

Each team presents for 5-8 minutes.

1-2-4-All (20 minutes)

  1. Silent self-reflection by individuals on the shared challenge, framed as a question “What opportunities do YOU see for making progress on this challenge? How would you handle this situation? What ideas or actions do you recommend?” (1 min)
  2. Generate ideas in pairs, building on ideas from self-reflection. (2 min)
  3. Share and develop ideas from your pair in foursomes (notice similarities and differences).( 4 min)
  4. Ask, “What is one idea that stood out in your conversation?” Each group shares one important idea with all (15 min)

Closing Commitment (5 min)

Where will this live? What comes next? Make a commitment to follow up electronically.

Networking

Spend an hour or so with drinks and food and discuss everything. Never enough socialization.