Tag: supplier management

Deviation Review for CxO – Best Practice

Regulatory agencies have continually continued to make it clear that when a Contract Manufacturing Organization (CMO) or Contract Research Organization (CRO) experiences a deviation, the sponsor/Marketing Authorization Holder (MAH) has several key responsibilities:

  1. Review the deviation: The sponsor must thoroughly review the deviation to ensure it was appropriately defined and investigated. This review is crucial as the sponsor cannot delegate their responsibility to ensure the drug product is safe, effective, and conforms to specifications and regulatory commitments.
  2. Assess product impact: The sponsor should ensure that the CMO has properly assessed the impact of the deviation on the product. This includes evaluating whether the deviation affected material quality, safety, or efficacy.
  3. Verify appropriate material control: It’s the sponsor’s responsibility to ensure the CMO has appropriately controlled the affected material and extended this control to any other potentially affected materials.
  4. Make disposition decisions: Ultimately, the sponsor is responsible for deciding whether the product should be released, reprocessed, or rejected. This decision is especially critical if the deviation affected material in clinical trials.
  5. Oversee corrective and preventive actions: The sponsor should understand how the CMO’s corrective and preventive action (CAPA) system operates and ensure appropriate measures are taken to prevent recurrence of the deviation.
  6. Maintain oversight: While the quality agreement defines the CMO’s responsibilities, the sponsor retains 100% oversight, including executed batch record review, change control, and deviation review and approval.
  7. Risk-based approach: For major or critical deviations, sponsors should employ a risk-based approach to assess the severity and potential impact.

To simplify the deviation notification process with a Contract Organization (CxO), sponsors and can implement several strategies:

Clear Communication and Documentation

  1. Establish a Well-Defined Quality Agreement: Create a comprehensive quality agreement that clearly outlines the deviation notification process, including timelines, classification criteria, and reporting requirements.
  2. Implement Standardized Templates: Develop and provide standardized templates for deviation reporting to ensure consistency and completeness of information.
  3. Set Clear Notification Timelines: Agree on specific timelines for different deviation categories. For example, critical and major deviations should be reported within one business day.

Risk-Based Approach

  1. Adopt a Quality Risk Management (QRM) Mindset: Approach the partnership with a focus on risk management, ensuring that both parties understand the potential impact of deviations on product quality and patient safety.
  2. Calibrate Risk Classification: Align the deviation classification system between the sponsor and CxO to avoid discrepancies in severity assessment.

Streamlined Processes

  1. Utilize Electronic Quality Management Systems: Implement digital tools to facilitate real-time reporting and tracking of deviations, improving efficiency and transparency. Yes, the sponsor should be taking a risk based approach to tracking deviations in their eQMS that captures the important sponsor/MAH decision making.
  2. Define Clear Roles and Responsibilities: Clearly delineate who is responsible for each step of the deviation management process, from identification to reporting and investigation.

Training and Support

  1. Provide Comprehensive Training: Ensure that CxO staff are well-trained on the sponsor’s quality expectations, deviation reporting procedures, and the use of any specific tools or systems.
  2. Offer Ongoing Support: Establish a dedicated point of contact or support team to assist the CxO with questions or issues related to deviation reporting.

Regular Review and Improvement

  1. Conduct Periodic Reviews: Schedule regular meetings to review the deviation notification process, discuss any challenges, and identify areas for improvement.
  2. Encourage Open Dialogue: Foster an environment where the CMO feels comfortable reporting issues promptly without fear of punitive action.

I strongly believe that a CxO needs to implement these strategies (do not put it only on the MAH’s shoulders) as part of their client onboarding and management process to create a more efficient and effective deviation notification process. This approach not only simplifies the process but also ensures that critical quality information is communicated promptly and accurately, ultimately contributing to better product quality and regulatory compliance. Add some value and don’t make the sponsor beg for information.

Section 711 of FDASIA and Regulatory Obligations

Too often, I see folks in pharma focus on 21 CFR Chapter 1, or at best all three chapters, maybe know the guidances and pay attention to little else. Unfortunately, that approach will often get one in trouble.

Section 711 of the Food and Drug Administration Safety and Innovation Act (FDASIA) amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) to enhance the safety and quality of the drug supply chain. Specifically Section 711 amends Section 501(a)(2)(B) of the FD&C Act by adding the following sentence:

“For purposes of paragraph (a)(2)(B), the term ‘current good manufacturing practice’ includes the implementation of oversight and controls over the manufacture of drugs to ensure quality, including managing the risk of and establishing the safety of raw materials, materials used in the manufacturing of drugs, and finished drug products.”

This amendment clarifies that current good manufacturing practice (CGMP) requirements for drugs include:

  1. Implementing oversight and controls over the entire manufacturing process to ensure quality.
  2. Managing the risks related to raw materials, other materials used in manufacturing, and finished drug products to establish their safety.

In essence, Section 711 expands the FDA’s CGMP authority to explicitly cover supply chain management and drug manufacturers’ oversight of their suppliers and contract manufacturing operations. It also allows the FDA to enforce supply chain control requirements during inspections.

The legislative history shows that Congress intended to significantly expand the FDA’s authority over the increasingly global drug supply chain through this provision. It allows the FDA to scrutinize how manufacturers select, qualify, and oversee suppliers of raw materials and contract manufacturers to ensure drug quality and safety.

Please note that the FDA gets this expanded authority without revising 21CFR. That’s how it works; Congress can do that. Will we eventually see some 21 CFR updates? I have no idea.

But what this does mean is that the FDA has the authority to:

  1. Inspect risk management for GMPs, and assume you have it. What does good risk management look like? The agency has adopted ICH Q9(r1) as guidance, so start there.
  2. Inspect your supplier management, which includes qualifying and overseeing suppliers and contract manufacturers.

I’ve started to receive regulatory intelligence that this is coming up in inspections. Expect to be asked for the risk management evidence and for supplier qualification and oversight evidence.

Quality Agreements with Cloud Providers

Having a quality agreement with a cloud provider is crucial for several reasons:

Ensure Regulatory Compliance

A quality agreement helps ensure the cloud provider’s services and processes comply with relevant regulations and guidelines, such as GxP (Good Practice) requirements from agencies like the FDA, EMA, and MHRA. It defines the roles, responsibilities, and expectations for maintaining data integrity, security, and quality standards throughout the product lifecycle.

Delineate Responsibilities

Cloud services often involve complex technology stacks and multiple subservice providers. A quality agreement clearly delineates the responsibilities of the regulated company and the cloud provider, ensuring that critical activities like change control, incident management, data governance, and security controls are properly addressed and assigned.

Establish Service Levels

The quality agreement specifies the agreed service levels, performance metrics, and key performance indicators (KPIs) that the cloud provider must meet, such as application availability, support response times, data security breach notification timelines, and system performance. This helps maintain the required quality of service.

Enable Oversight and Audits

The agreement outlines provisions for initial qualification audits, periodic audits, and inspections by the regulated company to assess the cloud provider’s compliance with the agreed terms. It also defines processes for managing audit findings and corrective actions.

Ensure Data Integrity and Security

Addressing data-related requirements, such as data ownership, privacy, protection controls, retention, archiving, and disposal processes, is critical to ensuring data integrity and security throughout the data lifecycle.

Manage Third-Party Risks

The agreement establishes guidelines for the approval process and compliance requirements when the cloud provider uses subcontractors or third-party services, mitigating associated risks.

Contents

A quality agreement between a regulated company (customer) and a Cloud (SaaS, PaaS, IaaS) provider should cover the following key elements:

Roles and Responsibilities

Clearly define the roles, responsibilities, and obligations of both parties regarding:

  • Regulatory compliance (GxP, data privacy, security, etc.)
  • Quality management system and processes
  • Change control and release management
  • Incident and deviation management
  • Data integrity, backup, and recovery
  • Performance monitoring and reporting

Service Levels and Performance Metrics

Specify the agreed service levels and key performance indicators (KPIs) for:

  • Application availability and uptime
  • Support response and resolution times
  • Data security and breach notification timelines
  • System performance and capacity

Audits and Assessments

Outline the provisions for:

  • Initial qualification audits of the SaaS provider
  • Periodic audits and inspections by the regulated company
  • Processes for managing audit findings and corrective actions

Data Management

Address data-related aspects such as:

  • Data ownership and usage rights
  • Data privacy and protection controls (as per applicable regulations)
  • Data retention, archiving, and disposal processes

Subcontracting and Third Parties

Establish guidelines for:

  • Approval process for use of subcontractors/third parties
  • Ensuring subcontractors comply with the quality agreement
  • Communication of changes impacting the regulated company

Term, Termination, and Offboarding

Specify conditions for:

  • Initial term and renewal of the quality agreement
  • Termination rights (e.g., for non-compliance, data breaches)
  • Responsibilities during offboarding and data transition

The quality agreement should be a comprehensive yet pragmatic document that ensures the cloud solution meets the regulated company’s quality and compliance requirements throughout the engagement.

Component Manufacturers Validation Requirements

I recently got asked what a medical device component manufacturer’s validation requirements are. Here is my answer.

Component manufacturers play a crucial role in the medical device industry by producing various parts and components for proper functioning and assembly. Here are some key expectations and responsibilities of component manufacturers in the medical device sector:

  1. Quality and Precision Manufacturing: Medical device components often require high precision, accuracy, and quality to ensure patient safety and device efficacy. To meet these demanding standards, component manufacturers must adhere to stringent quality control measures, utilize advanced manufacturing techniques, and maintain strict tolerances.
  2. Regulatory Compliance: The medical device industry is heavily regulated, and component manufacturers must comply with relevant regulations and standards set by governing bodies like the FDA, ISO, and others. This includes maintaining proper documentation, implementing quality management systems, and ensuring traceability of materials and processes.
  3. Material Selection and Biocompatibility: Many medical device components come into direct contact with the human body or bodily fluids. Consequently, component manufacturers must carefully select biocompatible, non-toxic, and suitable materials for the intended application. They must also ensure proper sterilization and packaging to maintain sterility.
  4. Design and Engineering Support: Some component manufacturers offer design and engineering services in addition to manufacturing to assist medical device companies in developing new components or optimizing existing ones. This collaboration helps ensure that components meet specific performance, functional, and regulatory requirements.
  5. Supply Chain Management: Component manufacturers must have robust supply chain management systems to ensure the timely delivery of components to medical device manufacturers. This includes maintaining adequate inventory levels, managing logistics, and minimizing disruptions in the supply chain.

Yes, component manufacturers in the medical device industry are expected to validate their manufacturing processes to ensure the components they produce meet specified requirements and perform as intended.

  • Regulatory bodies like the FDA require that components critical to the safety and performance of medical devices be produced through validated processes. This helps ensure that components consistently meet quality standards.
  • Component manufacturers must perform Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) on their manufacturing equipment and processes.
  • Validation requirements apply to finished components and raw materials, sub-components received from suppliers, and any processes involved in producing the component. Traceability of validation activities throughout the supply chain is essential.
  • The level of validation required depends on the component’s criticality and risk to the final medical device. More stringent validation is expected for higher-risk components that directly contact the patient or are essential for device safety and efficacy.
  • The component manufacturer must maintain validation documentation such as protocols, test reports, and traceability matrices and provide it to the medical device company upon request for review and auditing purposes.