While the regulations haven’t changed dramatically in recent years, the compliance expectation is ever increasing. The inspectorate’s use of computerised systems (e.g., Turbo EIR) allow inspectors to focus on industry trends and take a more risk-based approach. This leads inspectors towards common noncompliance areas within industry quality systems.
As an industry, we need to be prepared for FDA’s increased focus on these trouble areas and focusing on these is a good starting point for risk reduction. One way to approach this is to address the governing quality systems that cover the top hitting observations. Monitoring the status of your site’s quality systems and reacting to reported quality metrics helps to avoid compliance issues and facilitates continuous improvements.
- Procedures not in writing or not fully followed (21 CFR 211.22(d))
For a pharmaceutical company to prove to the FDA that it is operating within the highest standard of compliance, its standard operating procedures (SOPs) must be clearly written, and maintained and modified in a timely and consistent manner.
Pharma companies can experience difficulty in this area when their document control systems are paper-based, dispersed between a number of locations, or if the company does not sufficiently track approvals and signatures.
SOPs can be complex to create and maintain. However, regulatory bodies are becoming more and more focused on compliance and enforcement operations. Most SOPs are very complex and can be difficult to read and follow on a daily basis. Too much information and excessive detail increases the risk of errors and mistakes. Complexity leads to greater risk of error, demotivation and disengagement amongst personnel.
How to avoid the observations:
Restructuring SOPs can seem expensive and complicated. Simplify complex or confusing SOPs to help avoid a “procedures not fully followed” observation. Re-engineering your procedures, red line the procedure in the field, maintain simplicity, use photos / drawings to clarify, reduce the number of people involved in the tasks, test and verify SOP function.
An electronic system is key to automating the routing and delivery of SOPs, policies, work instructions, and other pertinent documentation to designated personnel while maintaining SOPs and other critical documentation in a secure, web-based repository.
- Discrepancies and/or failures in investigations (21 CFR 211.192)
The trend shows that deviations handling, investigations and CAPA are recurring through pharma, device, and biologics.
All deviations from written procedures must be thoroughly investigated, according to the 21 CFR 211.192 guideline, and the results of those investigations must be adequately documented. In 2016, Investigations of discrepancies in Production record review (CFR 211.192) continued to be one of the most frequently cited observations for drug products by the FDA. If a pharmaceutical company is unable to identify potential root causes and make sufficient record of them, their internal investigations will be viewed by the FDA as incomplete.
How to avoid these types of Observational Warnings:
At minimum, a good closed loop investigation system is comprised of the following elements Identification, Prioritisation, Assignment/Acknowledgement, Investigation, Correction, Implementation, Verification and Close.
Following on from the investigation element, often companies will come to a root cause. For example: equipment failure/ availability/design or procedure inadequate or procedure not followed or human error. While these are valid intermediate root causes, they need further analysis to arrive at a truly effective CAPAs. At this point it is important to add another layer to the root cause investigation to establish the true root cause.
The investigation into and documentation of quality events is drastically simplified with Quality Management software that enables an organization to automate the management of the entire CAPA process, from initiation to investigation and all the way through to closure.
3.Process Equipment, subsection 5.4 Computerised Systems, paragraph 5.43 of guideline ICH Q7 which states:
“Computerised systems should have sufficient controls to prevent unauthorised access or changes to data. There should be controls to prevent omissions in data (e.g. system turned off and data not captured). There should be a record of any data change made, the previous entry, who made the change, and when the change was made.”
Typical examples referred to the unregulated access to raw electronic data as follows:
- deleting of “bad” analyses (HPLC) after choosing the ones with specification compliant results
- manipulation of metadata in audit trail
- changing the date of analyses
How to avoid these types of Observational Warnings:
As part of your company’s internal audit procedure, data integrity should be systematically checked across all key GMP functions. The scope should cover items such as
- How is access authorised and controlled?
- Have you justified access levels and the user privileges at each level?
- Are there specific user profiles to access software and provide audit trails for traceability?
- Is there restricted privileges (can’t delete/ write-over / move)?
- Is the administration independent of the analytical function?
- How is it enforced that passwords are not shared?
- Are passwords changed periodically and are they of high strength?
- Is the Audit Trail functionality switched on?
- Is the Date/ time functionality locked by IT?
- Has the system been validated for its intended use?
- Are all data processing methods validated and locked by the administrator?
- Is it necessary to ‘save’ before it is submitted for review?
- Are accurate audit trail entries put in when prompted?