Being Small and Speciality Does not Exempt from the GMPs

Specialty Process Labs LLC is a specialty API manufacturer of natural desiccated thyroid. Which is, yes, what you might think it is. And as far I can tell, mostly ships direct to compounding pharmacies and patients. This month they got a warning letter.

The warning letter highlights:

  1. Failure to validate the process
  2. Failure to test to specification
  3. Failure to exercise sufficient controls over computerized systems

All three of these observations make me rather glad my loved-ones take levothyroxine and I am deeply aware of all the difficulties in that drug supply.

Focusing more on the computer system, it is an unsurprising list of bad access controls, change controls not controlled, and failure to validate excel spreadsheets.

The last observation really stood out to me:

Manufacturing master batch records held in electronic form on your company’s shared drive do not have restrictions on user access. Your quality unit personnel stated that there are no restrictions for any personnel with login credentials to access new and obsolete master records. Our investigator observed during the inspection multiple versions of batch records were utilized for API lot production.”

This is truly a failure in document access and record management. And it is one I see a lot of places. The core requirement here is really well stated in the PIC/S Data Integrity Guidance requirement 8.4 “Expectations for the generation, distribution and control of records.” Please read the whole section, but pay close attention to the following:

  • Documents should be stored in a manner which ensures appropriate version control.
  • Master documents should contain distinctive marking so to distinguish the master from a copy, e.g. use of coloured papers or inks so as to prevent inadvertent use.
  • Master documents (in electronic form) should be prevented from unauthorised or inadvertent changes.
  • Document issuance should be controlled by written procedures that include the following controls:
    • details of who issued the copies and when they were issued; clear means of differentiating approved copies of documents, e.g. by use of a secure stamp, or paper colour code not available in the working areas or another appropriate system;
    • ensuring that only the current approved version is available for use;
    • allocating a unique identifier to each blank document issued and recording the issue of each document in a register; – numbering every distributed copy (e.g.: copy 2 of 2) and sequential numbering of issued pages in bound books;
    • where the re-issue of additional copies of the blank template is necessary, a controlled process regarding re-issue should be followed with all distributed copies maintained and a justification and approval for the need of an extra copy recorded, e.g.: “the original template record was damaged”;
    • critical GMP/GDP blank forms (e.g.: worksheets, laboratory notebooks, batch records, control records) should be reconciled following use to ensure the accuracy and completeness of records; and
    • where copies of documents other than records, (e.g. procedures), are printed for reference only, reconciliation may not be required, providing the documents are time-stamped on generation, and their short-term validity marked on the document

There are incredibly clear guidelines for these activities that the agencies have provided. Just need to use them.

GMP Lab Warning Letter – A Baseline of Expectations

A February 2022 FDA Warning Letter to Accu Bio-Chem Laboratories provides a great baseline for what your audit programs should look at and what your own labs should focus on:

Throw in a good lab instrument qualification review, and supplier/raw materials management, and you have a pretty solid program.

Remote Inspections and Computer Systems

The US FDA recently changed the Investigations Operations Manual to allow Investigators direct access to a company’s databases during a BIMO inspection (See Section 5.10.2.1)

As the conduct of clinical and non-clinical trials increasingly moves toward 100% electronic data capture, to include electronic case report forms, medical records, patient-reported outcomes, informed consent systems and other electronic study records, it has become necessary for bioresearch monitoring investigators to have access to these electronic systems and databases in order to successfully perform inspections. Overseeing the firm’s personnel while they access their system is not always practical in BIMO inspections, as this can result in the firm having to dedicate an individual to this task.

FDA Investiations Operations Manual section 5.10.2.1

Obviously, if you haven’t, you should be updating your GCP Inspections SOP, especially since they have a few interesting requirements, such as “While you may complete a form needed by the firm in order to obtain read-only access, such as an account request form, you will not sign such form as per section 5.1.2.3. You may acknowledge via email that you have completed any required training necessary for access.”

I think for many in the GCP world this change is sort of a sleeper change. We have been used to giving access to EMA inspectors for years, who often know more about your TMF than you do by the time they walk in the door.

The real interesting thing is how this spells a shift in attitude at the agency that has been a long-time coming. And how it fits into recent trends in the increase in remote inspections.

Remote inspections are here to stay. Set aside the FDA’s current view that a remote event is not an inspection. And one of the big things that stand out about remote inspections is they do not work well to find data integrity issues, as we’ve seen from the decrease in observations that is not proportionate to the overall size of inspections. I think what we are seeing here is a recognition of that, and the first shift in mindset at the agency.

I’d expect to see the FDA change their approach on the GMP side as they continue to absorb the lessons learned from remote inspections. It is a trend that I would be paying attention to as you continue your digital journey. It is always important to think “how will an inspector view this data”. Usually, we think in terms of printouts. You should also be thinking about read-only access in the near future.

SIPOC for Data Governance

The SIPOC is a great tool for understanding data and fits nicely into a larger data process mapping initiative.

By understanding where the data comes from (Suppler), what it is used for (Customer) and what is done to the data on its trip from supplier to the customer (Process), you can:

  • Understand the requirements that the customer has for the data
  • Understand the rules governing how the data is provided
  • Determine the gap between what is required and what is provided
  • Track the root cause of data failures – both of type and of quality
  • Create requirements for modifying the processes that move the data

The SIPOC can be applied at many levels of detail. At a high level, for example, batch data is used to determine supply. At a detailed level, a rule for calculating a data element can result in an unexpected number because of a condition that was not anticipated.

SIPOC for manufacturing data utilizing the MES (high level)

PIC/S Guidance on Data Integrity is final

This week, the Pharmaceutical Inspection Co-operation Scheme (PIC/S) finally announced that its new guidance on good practices for data management and integrity for pharmaceutical manufacturers and distributors has come into effect.
 
This final version is of a draft document originally introduced in 2016 and re-issued as a draft in 2018. It’s been a long road to get final version. Final version here.