Regulatory Focus on Change Management

November was an exciting month for change management!

ICH Q12 “Technical and Regulatory Considerations for Pharmaceutical Product Lifecycle Management” was adopted by the ICH in Singapore, which means Q12 is now in Stage 5, Implementation. Implementation should be interesting as concepts like “established conditions” and “product lifecycle management” which sit at the core of Q12 are still open for interpretation as Q12 is implemented in specific regulatory markets.

And then, to end the month, PIC/S published draft 1 of PI 054-1 “Recommendation on How to Evaluate / Demonstrate the Effectiveness of a Pharmaceutical Quality System in relation to Risk-based Change Management.”

This draft guidance is now in a review period by regulatory agencies. Which means no public comments, but it will be applied on a 6-month trial basis by PIC/S participating authorities, which include the US Food and Drug Administration and other regulators across Europe, Australia, Canada, South Africa, Turkey, Iran, Argentina and more.

This document is aligned to ICH Q10, and there should be few surprised in this. Given PIC/S concern that “ongoing continual improvement has probably not been realised to a meaningful extent. The PIC/S QRM Expert Circle, being well-placed to focus on the QRM concepts of the GMPs and of ICH Q10, is seeking to train GMP inspectors on what a good risk-based change management system can look like within the PQS, and how to assess the level of effectiveness of the PQS in this area” it is a good idea to start aligning to be ahead of the curve.

“Changes typically have an impact assessment performed within the change control system. However, an impact assessment is often not as comprehensive as a risk assessment for the proposed change.”

This is a critical thing that agencies have been discussing for years. There are a few key takeaways.

  1. The difference between impact and risk is critical. Impact is best thought of as “What do I need to do to make the change.” Risk is “What could go wrong in making this change?” Impact focuses on assessing the impact of the proposed change on various things such as on current documentation, equipment cleaning processes, equipment qualification, process validation, training, etc. While these things are very important to assess, asking the question about what might go wrong is also important as it is an opportunity for companies to try to prevent problems that might be associated with the proposed change after its implementation.
  2. This 8 page document is really focusing on the absence of clear links between risk assessments, proposed control strategies and the design of validation protocols.
  3. The guidance is very concerned about appropriately classifying changes and using product data to drive decisions. While not specifying it in so many words, one of the first things that popped to my mind was around how we designate changes as like-for-like in the absence of supporting data. Changes that are assigned a like-for-like classification are often not risk-assessed, and are awarded limited oversight from a GMP perspective. These can sometimes result in major problems for companies, and one that I think people are way to quick to rush to.

Much of my thoughts on implementing this can be found in my presentation on change management and change control.

It is fascinating to look at appendix 1, which really lays out some critical goals of this draft guidance: better risk management, real time release, and innovative approaches to process validation. This is sort of the journey we are all on.

FDA 483 data

The FDA has posted the 2019 483 observations as an excel file. The FDA has made these files available every year since 2006 and I find them to be one of my favorite tools for evaluating regulatory trends.

So for example, looking at change related 483 I see:

2019 vs 2018 483 comparison for short description including “change”

Or for data integrity issues:

2019 vs 2018 483 comparison for short description including “data”

Very useful resource that should be in the bookmarks for every pharmaceutical quality professional.

PIC/S Guidance of Deficiency Classification

The Pharmaceutical Inspection Convention Cooperation Scheme (PIC/S) on 01-Jan-2019 released a long-awaited guidance to help regulators harmonize the classification and reporting of good manufacturing practice (GMP) deficiency outcomes from inspections. The guidance is designed as a “tool to support the risk-based classification of GMP deficiencies from inspections and to establish consistency amongst inspectorates.”

PI 040-1 “Guidance on Classification of GMP Deficiencies

PIC/S Draft Guidance on Data Integrity

On 30-Nov-2018 PIC/S published the third draft of guidance PI 041-1 “Good Practices for Data Management and Data Integrity in regulated GMP/GDP Environments“. The first draft was published back in 2016, and the third draft is subject to a focused stakeholder consultation seeking substantive comments from trade and professional associations on specific questions relating to the proportionality, clarity and implementation of the guidance requirements. In parallel to this stakeholder consultation, the new draft is applied by PIC/S Participating Authorities on a trial basis for a new implementation trial period (3 months).

In short, you can expect inspectors to have reviewed and be reviewing against this. Do your gap analysis now and have plans in place to address the gaps. Yes, there will be a little while before this is finally published, but at this point this guidance neatly triangulates with other guidances on data integrity and we can expect most of this to be in the final version.

This document is a great place to start and can be used to develop whole sections of the quality management system. I find it very actionable. For example this table from 9.5 “Data capture/entry for computerised systems”:

pics data capture part 1pics data capture part 2



Look for trends in inspection activities

I’m in charge of ice cream, an important element of my household and as a result there are agreed upon criteria for success. I have internal inspectors (me) and external (my teenagers). I can thus produce a fairly simple graph of internal and external inspections and see the areas where there is a difference.

ice cream audit

From this I can tell which categories of findings are pain points and can look for systematic ways to fix them.

In my case, it’s clear the kids do not appreciate only having vanilla, strawberry and chocolate ice cream.

You can apply the same process to your internal vs. regulatory agencies (or certifying body or similar) audit findings.

You can quickly find two major patterns:

  1. Places you are gapping
  2. Places you are tougher than regulatory agencies

For those areas where you are gapping, evaluate your systems and determine what process improvements are necessary. A good area to include in this evaluation is the skill set of your internal auditors. For example, do you need more intensive data integrity training?

For those areas where you are tougher than regulatory agencies, do a quick check to ensure internal expectations are appropriately aligned. And then congratulate yourself.

You might have some areas where you have internal findings but absolutely no external. This might be a good indication that this might be a cutting edge area and you are doing a great job keeping ahead of the curve.

Take an additional step. Go to a source of inspection findings, such as the FDA’s 483 collection, and add them to your graph. This can help you identify additional areas of potential improvement. This can be especially helpful if you are a smaller company that does not have a wealth of data to draw.

We should all be doing what we can to anticipate trends and benchmark ourselves. This sort of data review and go a long way to finding some potential pain points before they get worse.