MHRA on Good Pharacovigilance Inspections

The MHRA GPvP inspectorate recently published their latest inspection metrics for the period from April 2019 to March 2020. 

Someday these reports won’t take a year to write. If I took a year writing my annual reports I would receive an inspection finding from the MHRA.

There is no surprise that the five critical observations are all from risk management. Risk management is also the largest source of major findings, with quality management a close second with a lot of growth.

There are a lot of observations around the smooth and effective running of the CAPA program; a fair amount on PSMF management; and a handful on procedure, training and oversight.

Looking at the nine major observations due to deficiencies in the management of CAPA, the MHRA reports these problems:

  • Delays to CAPA development
  • CAPA that did not address the root cause and impact analysis for the identified noncompliance
  • Open CAPA which were significantly past their due date
  • CAPA raised from a previous critical finding raised at an earlier MHRA inspection had not been addressed

I’m going to go out on a limb here and say some of these stem from companies thinking non-GMP CAPAs do not require the same level of control and scrutiny. Root Cause Analysis and a good CAPA program are fundamental, no matter where you fall on (or out of) the pharmaceutical regulatory spectrum.

Root Cause Analysis Deficiencies

An appropriate level of root cause analysis should be applied during the investigation of deviations, suspected product defects and other problems. This can be determined using Quality Risk Management principles. In cases where the true root cause(s) of the issue cannot be determined, consideration should be given to identifying the most likely root cause(s) and to addressing those. Where human error is suspected or identified as the cause, this should be justified having taken care to ensure that process, procedural or system based errors or problems have not been overlooked, if present.

Appropriate corrective actions and/or preventative actions (CAPAs) should be identified and taken in response to investigations. The effectiveness of such actions should be monitored and assessed, in line with Quality Risk Management principles.

EU Guidelines for Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Chapter 1 Pharmaceutical System C1.4(xiv)

The MHRA cited 210 companies in 2019 on failure to conduct good root cause analysis and develop appropriate CAPAs. 6 of those were critical and a 100 were major.

My guess is if I asked those 210 companies in 2018 how their root cause analysis and CAPAs were doing, 85% would say “great!” We tend to overestimate our capabilities on the fundamentals (which root cause analysis and CAPA are) and not to continuously invest in improvement.

Of course, without good benchmarking, its really easy to say good enough and not be. There can be a tendency to say “Well we’ve never had a problem here, so we’re good.” Where in reality its just the problem has never been seen in an inspection or has never gone critical.

The FDA has fairly similar observations around root cause analysis. As does anyone who shares their metrics in any way. Bad root cause and bad CAPAs are pretty widespread.

This comes up a lot because the quality of CAPAs (and quantity) are considered key indicators of an organization’s health. CAPAs demonstrate that issues are acknowledged, tracked and remediated in an effective manner to eliminate or reduce the risk of a recurrence. The timeliness and robustness of these processes and records indicate whether an organization demonstrates effective planning and has sufficient resources to manage, resolve and correct past issues and prevent future issues.

A good CAPA system covers problem identification (which can be, and usually is a few different processes), root cause analysis, corrective and preventive actions, CAPA effectiveness, metrics, and governance. It is a house of cards, short one and the whole structure will fall down around you, often when you least need it to.

We can’t freeze our systems with superglue. If we are not continually improving then we are going backwards. No steady state when it comes to quality.

MHRA 2019 GMP Inspection Data and Documentation observations

Transparency is something that regulatory agencies need to get better at, both in sharing more and doing it in a timely manner. The fact that the 2019 data from the MHRA was released in October of 2020 is pretty poor. As a reference, the FDA releases their data pretty reliably at the end of the calendar year for the given year.

Been evaluating the MHRA’s 2020 data on Chapter 4 Documentation, which is the 2nd largest category of observations in 2019 (and in 2018 before it).

80 different inspections cited comments against the Principles section

Good documentation constitutes an essential part of the quality assurance system and is key to operating in compliance with GMP requirements. The various types of documents and media used should be fully defined in the manufacturer’s Quality Management System.


Documentation may exist in a variety of forms, including paper-based, electronic or photographic media. The main objective of the system of documentation utilized must be to establish, control, monitor and record all activities which directly or indirectly impact on all aspects of the quality of medicinal products. The Quality Management System should include sufficient instructional detail to facilitate a common understanding of the requirements, in addition to providing for sufficient recording of the various processes and evaluation of any observations, so that ongoing application of the requirements may be demonstrated.


There are two primary types of documentation used to manage and record GMP compliance: instructions (directions, requirements) and records/reports. Appropriate good documentation practice should be applied with respect to the type of document.


Suitable controls should be implemented to ensure the accuracy, integrity, availability and legibility of documents. Instruction documents should be free from errors and available in writing. The term ‘written’ means recorded, or documented on media from which data may be rendered in a human readable form.

Principles, Chapter 4 Documentation

The Principles section then goes on to lay out the required document types.

I would love to see more. Is this 80 companies who don’t known what a SMF is? Good documentation practices? Don’t have SOPs and batch records? Have errors in their documents? Don’t approve them? More transparency would be valuable here.

We can learn more by drilling down in the document.

  • There are 87 inspections with 4.1 in section “Generation and Control of Documents”. 1 is critical and 25 are major. Here we see failures in understanding types of documents and controlling them, or maybe just having them in the first place.
  • The 82 against 4.2 (1 critical and 20 major) are more about having the manufacturing and testing process defined (and matching the filing).
  • 103 inspections with observations against 4.3 (23 major) show companies that do not have appropriate approval and release controls
  • 14 for 4.4 (6 major) means there are 14 companies out there who can’t write a good process and procedure. 4.4 has one of my favorite requirements “written in an imperative mandatory style”
  • 60 against 4.5 (13 major) demonstrates a lack of review and keeping documents up-to-date.
  • 12 companies (6 major) have terrible handwriting and cannot stick to ballpoints, yes in fact 4.7 states “Handwritten entries should be made in clear, legible, indelible way.”
  • 103 against 4.8 (1 critical and 28 major) is ALCOA focused on contemporaneous, attributable and accurate.
  • 18 for 4.9 (6 major) is for not correcting data correctly. That’s right 18 companies do not know how to comment correctly.
  • 22 for 4.10 (1 critical and 9 major) is for not clearly laying out the manufacturing records and keeping them for the retention period.
  • 19 for 4.29 (5 major) is a lack of process and procedure for a grab-bag of quality processes from change control to equipment management to cleaning

There are more, but we are in single digit observation territory.

Useful things to be evaluating in your own organization. As a good place to start, here are some questions to ask when contemplating data integrity.

MHRA on Passing the Baton from GPvP to GMP

I love the MHRA Inspectorate blog. They don’t write often, but when they do, good stuff. Here are some of my thoughts on the post on moving patient safety data from determination as part of the pharmacovigilance efforts to labeling to distribution.

Starting in the Good Pharmacovigilance Practice (GPvP) realm, triggers for updates may be identified by pharmacovigilance staff and the corresponding variations submitted by regulatory affairs staff, who will also receive notification of variation approval. At this stage Good Manufacturing Practice (GMP) processes come into play with arrangements for printing the updated leaflets and incorporating these into the supply chain.

MHRA Inspectporate Blog “Passing the baton from GPvP to GMP: Three top tips for protecting patients and staying compliant ” 17 Dec 2019

Unless otherwise stated, updates to patient information leaflets should be introduced within 3 to 6 months of approval” – this is the critical point stressed in this post. The recommendations given in the blog post are solid.

Blog RecommendationThoughts
Check that the end to end process facilitates the timely implementation of updates and that there is seamless transition from written procedures covering GPvP, regulatory affairs and GMP processes. Labeling is often a separate change control process. Integration and simplification in change management is critical and companies should look seriously at balkanization of systems.
Define what is meant by ‘implementation’ of an updated leaflet and make sure this is in advance of regulatory deadlines to prevent the need for batches being re-worked should there be any unexpected delays Effective dates on changes need to take into account deadlines.

Appropriate linkages to ERP and supply chain systems.
Ensure the QP has access to up to date information on the correct leaflet version that should be used at batch certification. Communication, and the use of integrated change management

I also read this morning Teresa Gorecki’s post “Dedicated, Integrated Quality Assurance Systems Critical to Successful Clinical Trials.” All of her points are highly relevant here.

A list of Pharmaceutical Regulatory Requirements for Data Integrity

A compilation of regulatory requirements in pharmaceuticals for data requirements.

SourceReferenceContent
EMAEMA Guideline on GCP compliance in relation to trial master fileA certified copy is a paper or electronic copy of the original record that has been verified (e.g. by a dated signature) or has been generated through a validated process to produce a copy having the exact content and meaning of the original.
EMA/CHMP/ICH Tripartite GCPGuideline for good clinical practice E6(R2)Source Data: All information in original records and certified copies of original records of clinical findings, observations, or other activities in a clinical trial necessary for the reconstruction and evaluation of the trial. Source data are contained in source documents (original records or certified copies).
EMA/CHMP/ICH Tripartite GCPGuideline for good clinical practice E6(R2)Source Documents: Original documents, data, and records (e.g. hospital records, clinical and office charts, laboratory notes, memoranda, subjects’ diaries or evaluation checklists, pharmacy dispensing records, recorded data from automated instruments, copies or transcriptions certified after verification as being accurate copies, microfiches, photographic negatives, microfilm or magnetic media, x-rays, subject files, and records kept at the pharmacy, at the laboratories and at medico-technical departments involved in the clinical trial).

Certified Copy: A copy (irrespective of the type of media used) of the original record that has been verified (i.e., by a dated signature or by generation through a validated process) to have the same information, including data that describe the context, content, and structure, as the original.

When a copy is used to replace an original document (e.g., source documents, CRF), the copy should fulfill the requirements for certified copies.

EudraLexAnnex 11Audit Trails

Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.

EudraLexChapter 4Generation and Control of Documentation

All types of document should be defined and adhered to. The requirements apply equally to all forms of document media types. Complex systems need to be understood, well documented, validated, and adequate controls should be in place. Many documents (instructions and/or records) may exist in hybrid forms, i.e. some elements as electronic and others as paper based.

EudraLexChapter 4Records: Provide evidence of various actions taken to demonstrate compliance with instructions, e.g. activities, events, investigations, and in the case of manufactured batches a history of each batch of product, including its distribution. Records include the raw data which is used to generate other records. For electronic records regulated users should define which data are to be used as raw data. At least, all data on which quality decisions are based should be defined as raw data
OECDGLP No 1Section 2.3 item 7. Raw data means all original test facility records and documentation, or verified copies thereof, which are the result of the original observations and activities in a study. Raw data also may include, for example, photographs, microfilm or microfiche copies, computer readable media, dictated observations, recorded data from automated instruments, or any other data storage medium that has been recognized as capable of providing secure storage of information for a time period as stated in section 10, below. (Section 10 not reproduced here.)
OECDGLP No 17Data (raw data): Data (raw data) may be defined as measurable or descriptive attribute of a physical entity, process or event. The GLP Principles define

raw data as all laboratory records and documentation, including data directly entered into a computer through an automatic instrument interface, which are the results of primary observations and activities in a study and which are necessary for the reconstruction and evaluation of the report of that study.

Data (derived data): Derived data depend on raw data and can be reconstructed from raw data (e.g., final concentrations as calculated by a spreadsheet relying on raw data, result tables as summarized by a LIMS, etc.).

OECDGLP No 173.4. Audit trails

An audit trail provides documentary evidence of activities that have affected the content or meaning of a record at a specific time point. Audit trails need to be available and convertible to a human readable form. Depending on the system, log files may be considered (or may be considered in addition, to an audit trailing system) to meet this requirement. Any change to electronic records must not obscure the original entry and be time and date stamped and traceable to the person who made the change.

Audit trail for a computerised system should be enabled, appropriately configured and reflect the roles and responsibilities of study personnel. The ability to make modifications to the audit trail settings should be restricted to authorised personnel. Any personnel involved in a study (e.g. study directors, heads of analytical departments, analysts, etc.) should not be authorised to change audit trail settings.

PIC/SPI 041-1 (Draft

2)

Complete: All information that would be critical to recreating an event is important when trying to understand the event. The level of detail required for an information set to be considered complete would depend on the criticality of the information…A complete record of data generated electronically includes relevant metadata.
PIC/SPI 041-1 (Draft

2)

Many electronic records are important to retain in their dynamic (electronic) format, to enable interaction with the data. Data must be retained in a dynamic form where this is critical to its integrity or later verification.
PIC/SPI 041-1 (Draft

2)

The original record can be described as the first-capture of information, whether recorded on paper (static) or electronically (usually dynamic, depending on the complexity of the system).

Information that is originally captured in a dynamic state should remain available in that state.

UK MHRA‘GXP’ Data Integrity Guidance and Definitions6.2. Raw data (synonymous with “source data” which is defined in ICH GCP)

Raw data is defined as the original record (data) which can be described as the first-capture of information, whether recorded on paper or electronically. Information that is originally captured in a dynamic state should remain available in that state.

Raw data must permit full reconstruction of the activities. Where this has been captured in a dynamic state and generated electronically, paper copies cannot be considered as ‘raw data’…. In all definitions, the term ‘data’ includes raw data.

UK MHRA‘GXP’ Data Integrity Guidance and DefinitionsA static record format, such as a paper or electronic record, is one that is fixed and allows little or no interaction between the user and the record content. For example, once printed or converted to static electronic format chromatography records lose the capability of being reprocessed or enabling more detailed viewing of baselines.

Records in dynamic format, such as electronic records, allow an interactive relationship between the user and the record content. For example, electronic records in database formats allow the user to track, trend and query data; chromatography records maintained as electronic records allow the user or reviewer (with appropriate access permissions) to reprocess the data and expand the baseline to view the integration more clearly.

Where it is not practical or feasibly possible to retain the original copy of source data, (e.g. MRI scans, where the source machine is not under the study sponsor’s control and the operator can only provide summary statistics) the risks and mitigation should be documented.

UK MHRA‘GXP’ Data Integrity Guidance and Definitions6.11.1      Original record

The first or source capture of data or information e.g. original paper record of manual observation or electronic raw data file from a computerised system, and all subsequent data required to fully reconstruct the conduct of the GXP activity. Original records can be Static or Dynamic.

6.11.2      True copy

A copy (irrespective of the type of media used) of the original record that has been verified (i.e. by a dated signature or by generation through a validated process) to have the same information, including data that describe the context, content, and structure, as the original.

A true copy may be stored in a different electronic file format to the original record if required, but must retain the metadata and audit trail required to ensure that the full meaning of the data are kept and its history may be reconstructed.

Original records and true copies must preserve the integrity of the record. True copies of original records may be retained in place of the original record (e.g. scan of a paper record), if a documented system is in place to verify and record the integrity of the copy. Organisations should consider any risk associated with the destruction of original records.

It should be possible to create a true copy of electronic data, including relevant metadata, for the purposes of review, backup and archival. Accurate and complete copies for certification of the copy should include the meaning of the data (e.g. date formats, context, layout, electronic signatures and authorisations) and the full GXP audit trail. Consideration should be given to the dynamic functionality of a ‘true copy’ throughout the retention period (see ‘archive’).

Data must be retained in a dynamic form where this is critical to its integrity or later verification. If the computerized system cannot be maintained e.g., if it is no longer supported, then records should be archived according to a documented archiving strategy prior to decommissioning the computerized system. It is conceivable for some data generated by electronic means to be retained in an acceptable paper or electronic format, where it can be justified that a static record maintains the integrity of the original data. However, the data retention process must be shown to include verified copies of all raw data, metadata, relevant audit trail and result files, any variable software/system configuration settings specific to each record, and all data processing runs (including methods and audit trails) necessary for reconstruction of a given raw data set. It would also require a documented means to verify that the printed records were an accurate representation. To enable a GXP compliant record this approach is likely to be demanding in its administration.

UK MHRA‘GXP’ Data Integrity Guidance and Definitions4.3 Hybrid

Where hybrid systems are used, it should be clearly documented what constitutes the whole data set and all records that are defined by the data set should be reviewed and retained. Hybrid systems should be designed to ensure they meet the desired objective.

UK MHRA‘GXP’ Data Integrity Guidance and DefinitionsThe audit trail is a form of metadata containing information associated with actions that relate to the creation, modification or deletion of GXP records. An audit trail provides for secure recording of life-cycle details such as creation, additions, deletions or alterations of information in a record, either paper or electronic, without obscuring or overwriting the original record. An audit trail facilitates the reconstruction of the history of such events relating to the record regardless of its medium, including the “who, what, when and why” of the action.
US FDA21 CFR Part

211.194 (a)

 

Laboratory records shall include complete data derived from all tests necessary to assure compliance with established specifications and standards, including examinations and assays
US FDA21 CFR Part

211.188

Batch production and control records shall be prepared for each batch of drug product produced and shall include complete information relating to the production and control of each batch.
US FDA21 CFR Part

211.68(b)

Hard copy or alternative systems, such as duplicates, tapes, or microfilm, designed to assure that backup data are exact and complete and that it is secure from alteration, inadvertent erasures, or loss shall be maintained.
US FDA21 CFR Part

58.3(k)

Raw data means any laboratory worksheets, records, memoranda, notes, or exact copies thereof, that are the result of original observations and activities of a nonclinical laboratory study and are necessary for the reconstruction and evaluation of the report of that study.
US FDA21 CFR Part

58.3

Raw data means all original nonclinical laboratory study records and documentation or exact copies that maintain the original intent and meaning and are made according to the person’s certified copy procedures.

Raw data includes any laboratory worksheets, correspondence, notes, and other documentation (regardless of capture medium) that are the result of original observations and activities of a nonclinical laboratory study and are necessary for the reconstruction and evaluation of the report of that study.

Raw data also includes the signed and dated pathology report.

US FDA21 CFR Part 211.180(d)Records required under this part may be retained either as original records or as true copies such as photocopies, microfilm, microfiche, or other accurate reproductions of the original records. Where reduction techniques, such as microfilming, are used, suitable reader and photocopying equipment shall be readily available.
US FDAData Integrity and Compliance with CGMP Guidance for

Industry (draft)

Electronic copies can be used as true copies of paper or electronic records, provided the copies preserve the content and meaning of the original data, which includes associated metadata and the static or dynamic nature of the original records.

True copies of dynamic electronic records may be made and maintained in the format of the original records or in a compatible format, provided that the content and meaning of the original records are preserved and that a suitable reader and copying equipment (for example, software and hardware, including media readers) are readily available.

US FDAData Integrity and Compliance with CGMP Guidance for

Industry (draft)

What is an “audit trail”?

For purposes of this guidance, audit trail means a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record. An audit trail is a chronology of the “who, what, when, and why” of a record.

For example, the audit trail for a high performance liquid chromatography (HPLC) run could include the user name, date/time of the run, the integration parameters used, and details of a reprocessing, if any, including change justification for the reprocessing.

Electronic audit trails include those that track creation, modification, or deletion of data (such as processing parameters and results) and those that track actions at the record or system level (such as attempts to access the system or rename or delete a file).

CGMP-compliant record-keeping practices prevent data from being lost or obscured (see §§ 211.160(a), 211.194, and 212.110(b)). Electronic record-keeping systems, which include audit trails, can fulfill these CGMP requirements.

US FDAData Integrity and Compliance with CGMP Guidance for IndustryFor the purposes of this guidance, static is used to indicate a fixed-data document such as a paper record or an electronic image, and dynamic means that the record format allows interaction between the user and the record content. For example, a dynamic chromatographic record may allow the user to change the baseline and reprocess chromatographic data so that the resulting peaks may appear smaller or larger. It also may allow the user to modify formulas or entries in a spreadsheet used to compute test results or other information such as calculated yield.
WHOTRS No. 996

Annex 5

Data means all original records and true copies of original records, including source data and metadata and all subsequent transformations and reports of these data, which are generated or recorded at the time of the GXP activity and allow full and complete reconstruction and evaluation of the GXP activity. Data should be accurately recorded by permanent means at the time of the activity. Data may be contained in paper records (such as worksheets and logbooks), electronic records and audit trails, photographs, microfilm or microfiche, audio- or video-files or any other media whereby information related to GXP activities is recorded.
WHOTRS No. 996

Annex 5

Dynamic record format.

Records in dynamic format, such as electronic records, that allow for an interactive relationship between the user and the record content. For example, electronic records in database formats allow the user to track, trend and query data; chromatography records maintained as electronic records allow the

user (with proper access permissions) to reprocess the data and expand the baseline to view the integration more clearly.

Static record format.

A static record format, such as a paper or pdf record, is one that is fixed and allows little or no interaction between the user and the record content. For example, once printed or converted to static pdfs, chromatography records lose the capability of being reprocessed or enabling more detailed viewing of baselines.

WHOTRS No. 996

Annex 5

The use of hybrid systems is discouraged, but where legacy systems are awaiting replacement, mitigating controls should be in place…

A hybrid approach might exceptionally be used to sign electronic records when the system lacks features for electronic signatures, provided adequate security can be maintained…

Replacement of hybrid systems should be a priority.