Compliance Zen

16 June 2013

FDA Training Records - Three Risky Challenges

Companies train their personnel in all sorts of FDA-related activities, from quality system SOPs to core regulatory requirements to company policies. Training is a common requirement of nearly all FDA regulations, from Part 11 to 21 CFR 820.

What about training should be documented?
What should be retained and for how long?
Should training records be tied to individual personnel files or can we simply record group training?
How do I go about figuring out who should be trained on what?

These questions carry with them significant risks - for FDA compliance, for product liability litigation, and for personnel-related allegations. When I give FDA compliance training workshops, webinars and speeches, many questions about training and training records often boil down to these tricky issues. Below, I'll answer a few aspects:

What specifically does FDA require us to document about training?

In only one place does FDA spell out specific items to document, in 21 CFR 111.14(b)(2) Current Good Manufacturing Practices for Dietary Supplements. FDA states: “You must make and keep the following records: Documentation of training, including the date of the training, the type of training, and the person(s) trained.”

At minimum, I suggest that ALL firms, irrespective of industry, follow the minimum specifics listed in 21 CFR 111.14. All the other regulations provide a summary statement similar to the one in 21 CFR 820.25(b): “Training shall be documented.”

Unfortunately, in part because of these ambiguous requirements, a bad habit of using group attendance sheets has arisen over the years. Such group attendance sheets are easy, they get passed around, people sign their name, and voila – regulatory requirements met…right?

No.

Group sign-in sheets have multiple inherent weaknesses that - as many firms have discovered - undermine compliance. For instance:

When did the individual sign? Did they walk into training 5 minutes before the session ended and sign the sheet? Did they walk out of training as soon as they signed the sheet to “take a quick call” and never return?
Was it actually that individual? How often does someone match the signatures against a signature log?
How does signing a group “I showed up” sheet prove “I understand the training and I agree to abide by the training” with any level of accountability?

The reality is that most group attendance sheets go into a file drawer and are never seen again. FDA investigators understand that group attendance sheets prove little. In fact, in 32% of product recalls, FDA traced the root cause to ineffective training (US Federal Register, Vol 78, Iss. 11, 16 January 2013).

The proposed 21 CFR 117 specifically ties training to individual personnel records, eliminating the ability to use group sign-in sheets to prove FDA compliance. Supervisors are to be trained differently than line workers. And supervisors will have a responsibility to “ensure” that employees understand their obligations. Group sign-in sheets will not accomplish this.

Group sign-in sheets carry further risks for a company in two increasingly common situations:

Product liability litigation
Personnel discrimination or wrongful termination allegations.

Multiple US laws and regulations tie retention of training records to individual personnel files and roles performed. A 2008 SCOTUS ruling (CBOCS West, Inc. v. Humphries) on the statute of limitations in Section 1981 of Title VII (42 USC 1981) determined that job-related training records – such as training on SOPs – are examples of proof that can be used to show a company discriminated (or conversely, used to prove that a company did not discriminate) for several years after an employee's departure. As a result, firms now keep job-related training records for the duration of an employee’s term with the company plus at least two years (e.g., "date of departure + 2 years").

So how does your Quality group track the employment durations of each individual with your company? Or perhaps they are planning to keep every single group sign-in sheet for at least 30+ years?

These are just some of the reasons why group sign-in sheets for training cause more risks and problems than they solve.

What record(s) should I retain to prove personnel were trained appropriately and understood the training?

With my clients that I help either in FDA quality system consulting or in FDA recordkeeping consulting, I recommend retaining two record types:

Training Matrix
Individual Certificate of Acknowledgement

About the Training Matrix

A Training Matrix can be as simple or as complex as you desire, from a basic Excel spreadsheet to an Oracle or SQL database of some sort. Using an Excel spreadsheet, the left-hand column should list all the organization’s personnel; the top row should list all the potential training that could be received (specific SOPs or policies, regulations, etc.). The grid is then filled in either with the date last trained or with a shaded cell to indicate “not necessary.” Feel free to come up with other designations for date scheduled, type of training (“in person” vs. computer-based vs. “read-and-review”), and so on.

The purpose of the Training Matrix is two-fold:

Tracking who needs to be trained on what versus who has already completed training; AND
Quickly and easily showing an outside auditor or regulatory investigator the current “state of training.”

From a retention standpoint, the Training Matrix is what’s termed a “living” document. It’s constantly updated.

That said, from a risk-mitigation standpoint, I suggest my clients take an annual snapshot of the Training Matrix and archive that annual snapshot for a period of years equal to their local state statute of limitations such as 3 years or 6 years. Such a snapshot of a "living document" is not required under any regulation, it’s simply a precaution to allow the firm to quickly and easily trace who had training on what and when without having to cull through individual personnel records. It's a reminder that the Training Matrix is designed to be practical and user-friendly throughout.

With any luck, the Training Matrix is as far as the FDA investigator will need to go. However, deeper dives into specifics of what a person was trained on within a particular training session as well as the how the supervisor ensured the training was effective look to Individual Certificates of Acknowledgement.

About Individual Certificates of Acknowledgement

In each individual personnel record is the Individual Certificate of Acknowledgement.

An example Certificate of Acknowledgement documents the following items:

Topic of training session
Date of training session
Key responsibilities/requirements covered in the session
Individual’s acknowledgement that he/she understands his/her obligations
Individual’s agreement to comply with the requirements/obligations
Supervisor’s review and agreement to supervise the individual to the requirements/obligations.

Not only does this comply with both the intent of the regulatory requirements, it also has a critical added benefit: since the 1950s, studies have shown that this type of written, individual acknowledgement consistently improves compliance by up to 89%.

This is why the individual Certificate of Acknowledgement (or “Commitment” or “Understanding” or whatever word you want) is so powerful:

Improves compliance by 89%
Complies with all current US laws, court interpretations and regulations associated with training records.

One tool to comply with multiple regulations and strengthen compliance at the same time: that’s a lean compliance technique.

How do I begin to create role-based training assignments when there might be hundreds or thousands of SOPs and policies?

The key challenge is to avoid getting lost in the details. Training everyone on everything is nice in theory, but breaks down quickly in practice; the larger an organization, the more unwieldy and ineffective the training will become.

Traditionally, there are two choices in how to tackle role-based training:

Work with your local HR/personnel department to idenfity overall training requirements for each functional group; OR
Work with each functional leader (department heads, team leads, etc.) to do the same.

I advocate a more practical, flexible lean compliance approach:

Assemble a temporary, working group of representatives from each functional area and HR to carve out initial sets of "buckets." In essence, everyone in functional group X gets trained on SOPs 1 and 2; everyone in functional group Z gets trained on SOPs 2, 3, and 4; everyone in functional group A, gets trained on SOPs 4, 5, and 6; and so on.

That's the core initial population of the Training Matrix.

Then, I take that initial populated draft of the Training Matrix and go to each department head to review, tweak, answer questions, and verify. After the quick verification sessions with the department heads, the Training Matrix is now fully populated, the functional heads and their direct reports are happy, and so is HR. It's a win-win-win.

And I don't worry about "is the Training Matrix perfect?" because it is - as I noted above - a "living document" that will get modified as time goes on.

This can also help reduce the drag of training on productivity. The more time spent in training, the less revenue-generating work is completed. Thus, the goal of the business is to have the minimum amount of training necessary; in other words, to balance compliance with profitability.

FDA lean compliance provides a company defensibility with records while reducing overhead, strengthening compliance, and improving profitability.

To learn more, visit my firm's website at www.ceruleanllc.com or read previous client stories and testimonials.

Posted at 12:13 PM in FDA Enforcement, FDA regulation, Lean Compliance, Records Management & Retention | Permalink | Comments (0) | TrackBack (0)

21 March 2013

Should FDA Regulate Medical Apps?

This week, Congress is holding hearings on FDA's plan to oversee and regulate medical apps for smartphones as medical devices. As I wrote back in my Medical Apps, FDA and Patient Data Integrity posting, the regulation of medical apps is a perilous road for FDA to take given the agency's track record when it comes to technology and innovation.

Congress is using the device tax as the leitmotif, but in reality, this three-day hearing is really about whether FDA should even be tackling medical apps right now. Today, the agency can barely get a handle on its current responsibilities to oversee approximately 25% of the entire US economy. Adding the ultra fast-paced landscape of medical apps to FDA's regulatory plate seems to lie somewhere between a foolhardy power grab and a tragically noble safety effort.

According to Clinical Innovation & Technology, there are already 27,000 medical app products on the marketplace today, most of which are either free or less than a few dollars in cost. An additional 500 new medical apps are launched each day. Even if every FDA employee, from Commissioner Hamburg all the way down to the agency's latest summer intern, were to instantly (*poof*) turn into expert "FDA medical app reviewers," the agency does not have enough human beings to review all the apps on the market today much less keep pace with all the new, daily medical app product launches and nor the countless updated revisions to earlier released apps.

For a medical app to go through the FDA 510(k) process takes 3-18 months of FDA review and costs a company hundreds of thousands of dollars. So far, only 80 apps have gone through the approval process.

And to what end? What known, quantifiable, tangible public health and safety risks are being eliminated or mitigated?

What are the Public Health Risks?

For the vast majority of these apps - at least 90-95% - there are no public-wide health or safety risks not already covered under other rules such as false advertising (FTC) or market mechanics (bug-ridden apps tend not to get used very much). These are the apps geared toward you and me (i.e., the general public).

For the tiny sliver of apps for whom intended users are professional, trained medical personnel - doctors, nurses, clinicians, etc. - the risk is not direct harm to the patient; the risk is that the data within the app will become corrupted somewhow and not allow an accurate reading, an accurate diagnoses, an accurate display of trends, etc.

And its these professional, clinical apps that pose a risk - not to public health and safety - but to the ability of healthcare professionals to rely upon medical apps as helpful tools, just as the healthcare professional relies upon an office computer or Microsoft Word or the fax machine or a sharps disposal bin. FDA does not regulate these as devices...does it?

Oh wait, FDA does regulate sharps trash bins as medical devices (we'll save that for a future post).

A Simple, Common Sense Regulatory Approach to Medical Apps

Last year, Sweden's Medical Products Agency (Sweden's "FDA") published a very reasonable, balanced regulatory view with their guide on how medical software falls under the EU health regulations such as the EU GMPs and EU Annex 11. Sweden clarifies that smartphone medical apps do not - and will not ever - fall under the category of actual medical devices unless the smartphone or tablet is specifically converted into a medical device to be used largely for the detection, diagnoses and/or treatment of medical conditions (such as a smartphone specifically into a patient monitoring device).

Under that rubric, only apps strictly designed for healthcare professionals, clinical settings and/or dedicated to patient monitoring and reporting (to healthcare professionals) would fall into FDA's purview. You can download an English translation of Sweden's simple, common sense approach to regulating medical apps here.

Congress and FDA would best serve the public by adopting such a common sense approach, at least for now until actual risks materialize enough to justify heavier regulatory oversight.

Implementing heavy FDA oversight of medical apps as medical devices in the US today will only verify Winston Churchill's wry observation, "Americans can always be counted on to do the right thing...after they have exhausted all other possibilities."

Posted at 11:41 AM in FDA, Medical Apps, Medical Devices, Regulatory Intelligence | Permalink | Comments (0) | TrackBack (0)

05 February 2013

3D Printing and Nanobots - FDA Challenges Ahead

Among many products, the US Food and Drug Administration (FDA) regulates medical devices such as stents and prosthetics. FDA regulations - and compliance - are predicated on an assumption that medical device production is an involved undertaking that requires expertise, monies, and physical manufacturing.

Yet, what would happen - is happening right now - if anyone can make a fully functional, complex medical device at home in about an hour?

3D Printing of Medical Devices

Late last year, two folks collaborating from opposite sides of the planet created an articulating prosthetic hand using only a cheap 3D printer.

Then, they went one step further – they uploaded the design specs on the internet so anyone can download, make and use this 3D printer prosthetic hand today. (*Note - this news story has embedded videos to watch as well so you can see the fully articulate hand in action.) The device design is now in the public domain.

Most prosthetics are Class I devices today, requiring only an FDA quality system (21 CFR 820) and compliance with the medical device reporting rules (21 CFR 803); a 510(k) is not required. Sounds straightforward when such devices are designed and made in traditional manufacturing firms. But using this public domain specification, anyone with access to the internet and a 3D printer can make this Class I device.

So…is every person who prints one of these now an FDA-regulated manufacturer?

FDA rules, regulations and statutes are predicated on an assumption that in order to start a business – in order to design and sell a product – there are significant fixed costs involved, investors may need to be sought, expensive expertise to obtained, and so on.

Now though, all one needs is a cheap 3D printer and an internet connection to download, make and use a fully articulate, Class I medical device prosthetic.

The times they are a changing.

Beyond just the FDA QSR and MDR rules, the new unique device identifier (UDI) regulation will be phased in over the next six year. 3D printed prosthetics – and other Class I devices – will need their own UDI as of 2019, if not sooner. How will this work if anyone can make their own fully functional, Class I device with a 3D printer? Keep in mind – this fully articulate, 3D printed prosthetic is just the first of future medical devices made onsite, at any site, in real-time with 3D printing.

In February 2012, a woman received an impantable replacement jaw made from a 3D printer. Presumably, any hospital could make such an implantable device on the fly, in real-time, fitted to each individual patient’s characteristics. Fabulous from a healthcare perspective but a real challenge in the context of regulations that date back to last century. Will this mean each hospital in the US has to seek its own UDI? Has to have its own quality system and device adverse event reporting programs?

FDA has an overwhelming workload now. Imagine in a few years when wide-spread 3D printing allows real-time, patient-side creation of almost any type of medical device, from prosthetics to implants, at any hospital, doctor's office or home.

Nanobots and the UDI Rule

It’s only going to get worse, though. A colleague of mine is working to commercialize injectable nanobots that scour arteries for plaque and other problems, and then, within 30 days, completely dissolve. Other firms are drawing up plans for similar nanobots to tackle digestive system issues and so on.

Thankfully for the agency, these nanobot based devices are almost a decade away. And the clinical trials will undoubtedly be highly scrutinized.

Here are just two questions injectable (or injestable) nanobots raise:

Are these devices or drugs or combination products?
How do you apply a UDI to something the eye cannot discern and that will disappear in 30 days?

Fundamentally, the challenge facing FDA – and facing all of us in compliance and quality – is that scientific and technologic progress is far outstripping FDA’s ability – much less any organization's ability – to understand its implications enough to be able to craft reasonable regulations and practical SOPs and policies. This is a challenge that will get far worse before it gets better.

When I give FDA compliance training and workshops to business execs and scientists, I make a point to note that regulation in the US today takes at least 8 years to go from blank sheet of paper to reality (note that the UDI rule was drafted long before Congress actually passed the authorizing FDAAA statute in 2007). The UDI rule took almost a decade to come to fruition in Congress and then be written so as to go into place this year...and with 3D printing (much less imminent nanobot devices), the UDI rule is already outdated before it formally takes effect.

How can FDA handle 3D printed devices, nano-technology medicines and other new advances?

FDA has little choice left but to regulate through guidance. Guidance documents can take less than a year to publish. And for those of us who provide expert regulatory intelligence and quality systems advice to clients, we’ve also noticed that FDA is increasingly reliant as well upon using Warning Letters to explain rules and requirements; see the recent push of late for FDA records management requirements in warning letters and this year's Ben Venue Laboratories consent decree.

Implications for Firms Today

Firms need to proactively manage the gathering and synthesizing of FDA regulatory intelligence, incorporating and applying it into their quality systems and product planning. Relying upon a regulation written before Y2K to tell you what to do in this era of social media, iPhones and 3D printing is akin to relying on a fax machine to quickly send a document. This is why FDA officials of late have cautioned against relying on former FDA officials whose last stint with the agency was twenty years ago; too much has changed since the 1990s.

Those firms large enough to dedicate a team of personnel to regulatory intelligence and its application will manage just fine over the 5-10 years, but what of firms that don’t have that kind of manpower and money? How will firms with more needs than personnel keep up with new FDA expectations and clarifications from guidance documents, warning letters, consent decrees, and even web-based FAQs?

Stay up with FDA guidance, warning letters and FAQs to avoid enforcement and new product delays.

Small to midsized firms should look to some type of outside service. Consider asking an industry expert with a good reputation to provide you regulatory intelligence services (if you need help determining how to get a good a consultant, follow the tips in this article). Ask the trusted compliance expert to provide ongoing review, analysis and suggestions stemming from “recent and newly published relevant FDA guidance documents, warning letters, consent decrees, and FAQs.” Be sure to scope out the service appropriately. Don’t ask for a weekly update if you only plan on incorporating suggestions on a quarterly basis. Most clients I deal with want advice on a monthly or quarterly basis. A good rule of thumb is to expect the expert to spend approximately 12-20 days a year providing you analysis and suggestions from relevant FDA items. Work this out for the consultant’s hourly rate or a fixed fee.

Another option, albeit much less tailored, is to subscribe to a regulatory intelligence newsletter or a quality systems newsletter such as Cerulean’s SmarterCompliance. Keep in mind that published newsletters have a large readership and so you may not find every issue to be of immediate impact. Make sure the newsletter offers a money-back guarantee of some sort so that if you cannot find anything of any value over a handful of issues, you can at least get some monies back.

FDA regulatory intelligence is only as good as its applicability. Talk with your quality system consultant or regulatory intelligence expert on how best to apply the ongoing advice in your organization; he or she should have some level of insight into what works best in day-to-day practice.

Posted at 09:31 AM in FDA Intel, FDA regulation, Medical Devices, Regulatory Intelligence | Permalink | Comments (0) | TrackBack (0)

22 September 2012

From the Pharma Contracting and Outsourcing Conference

This past week I was invited to speak at the Contract Pharma Contracting and Outsourcing Conference in New Jersey, where I spoke on how to sell compliance to senior management.

All too often we assume that compliance is an essential requirement when choosing a critical supplier. And the yet, when cost becomes the deciding factor, compliance becomes compromised or even forgotten for the sake of the bottom line.

Given that more people are hurt each year by toilets than receive FDA warning letters or FDA-483s, the threat of FDA enforcement is hardly a credible compliance encouragement. And so I opened day two of the conference by speaking on how lean FDA compliance can:

save money
enable greater revenue and profitability
simplify compliance
and generate easy metrics to both support those results and prove effective compliance to FDA.

I was followed by Addam Reynolds, a Consumer Safety Officer with FDA's New Jersey district office who spoke on recent FDA inspectional findings and trends. Mr. Reynolds summarized a number of trends in FDA-483s, comparing the previous year to this one. I've reproduced two of his summary tables below.

As we looked at the data, Mr. Reynolds made several explanatory comments of what was behind the numbers.

First, many of the new investigators now with FDA are well-versed in laboratory and manufacturing operations. A number of new hires have come from those laid off by the pharma industry - an irony not lost on attendees. With increased familiarity of modern-day manufacturing and laboratory settings comes increased scrutiny. Thus the increases in citations for noncompliance with 21 CFR 211.63 and 211.160(b)(4). Mr. Reynolds noted that "Firms are either not qualifying their equipment and instruments at all, or are not doing it right."

Second,the number of citations for 21 CFR 211.68(b), controls over computerized systems, is, in Mr. Reynolds insight to FDA thinking, "really about data integrity and data security." This continues FDA's special enforcement of Part 11 as a rule governing electronic data and records integrity; an enforcement approach that was officially announced in 2010. As Mr. Reynolds noted, most Part 11-relevent 483s happen because firms continue having systems "with little to no data integrity controls."

As I've written about extensively, been interviewed on, and consulted on, Part 11 is less about validating computers per se, and more about ensuring data integrity. To that point, validation is simply a means to an end. The most recent issue of my client newsletter, SmarterCompliance #68, explains in-depth how to use data mapping as a technique to simplify and streamline Part 11 compliance.

The rest of Contract Pharma's conference featured more excellent speakers on various contracting and supplier management issues, including site selection criteria, what to do when your CMO goes bankrupt, and more. If you've not attended this two-day conference before, I encourage you to do so next September. Attendees and speakers are focused on frank conversations about overcoming real-world challenges. I'll be there speaking. I'm thinking of doing something on parallels between choosing a puppy and choosing a supplier - lessons learned and puddles cleaned.

If you're looking for more lean compliance events, check my upcoming workshops and speaking events page on my website. In the near term, I'll be speaking:

September 25 - webinar on overseeing and verifying Part 11 compliance of your records at critical suppliers
October 3 - Part 11 enforcement today for OTC manufacturers
October 11 - webinar on best practices for quality system management reviews (a new requirement under the new EU GMPs Chapter 1 going into effect in January)

I hope you'll join me at one of these events.

Posted at 09:24 AM in Audits & Inspections, Event & Publication Calendar, FDA Enforcement, FDA regulation, Lean Compliance, Regulatory Intelligence, Supplier Management | Permalink | Comments (0) | TrackBack (0)

25 June 2012

Medical Apps, FDA and Patient Data Integrity

Two recent articles - one in the Washington Post entitled Health-care Apps of Smartphones Pit FDA Against Tech Industry and one in the Wall Street Journal entitled There's a Medical App for That-Or Not - have raised the spectre of how smartphone medical apps imply an imminent trainwreck between today's rapid-pace innovation and last century's slower-going FDA regulation.

vs?

What's the real question?

As I note in Get to Market Now!, new innovations and technologies emerge on average every 6 months while new or revised regulations take 12-14 years. Today, there are over 13,000 medical apps available for you and me; another 5,000 are available just for physicians and healthcare providers. By the time you finish reading this post, another medical app will have been published.

From a business perspective, the thought of FDA dragging down innovation to the rate of regulation is frightening. And while there is also the need to protect the public - and physicians - from medical apps that are unreliable, faulty, and just plain poor, is new regulation the answer? Is treating a $1.99 app like an MRI the answer? Innovation wouldn't stop. The price would just go up. Instead of paying $1.99, you'd just pay $1,990 for the app.

So, assuming that's not our goal, then what's the answer? Well, maybe we should step back from racing to find an answer, and reframe the question. Afterall, there's no point in arguing over the answer if we're not all answering the same question.

I suggest the real question has little to do with speeding innovation, keeping the public safe, enabling informed healthcare consumers, or making healthcare professionals more efficient. Those are all wonderful points, but they are not the core question behind how to, or even whether, we should regulate a medical app.

The real question is simpler: How do we - as a society - ensure that patients and healtcare providers can rely upon the health data used/maintained in a medical app?

Think about it. Would you want one of the regular updates to an app on your smartphone to corrupt all the previous data you had in it?

In today's video game market, data corruption is a painful reality becoming more and more common - patches and updates to games increasingly have to be withdrawn and redone because they accidentally corrupted and destroyed people's previous game data. It's too late for those consumers whose data files were destroyed.

"Well, sure," you say, "but those are game files. I mean, come on." And then think about it: is that what you want for your smartphone health app? You'd be hard-pressed to find a patient or a physician okay with running that risk for all their health data. Are you okay with all your health data and trends over the past year being wiped out while an update to your app is downloaded as you sit at Starbucks sipping that latte?

So this is the core question: how do we ensure that data entered into a medical app stays trustworthy?

And if we reframe it in this way, then we can cast about for already existing regulations, controls and tools. And yes, we already have them.

Today's Medical App Controls

I see four significant controls available today. The first two are pure market-driven, the second two are more "guiding hand" industry best practice combined with existing regulation:

1. Consumer reviews. Admittedly, there are some drawbacks to this as we don't know if the person writing the review is knowledgeable, and sites that rely on consumer reviews are usually fairly easy to game. So, consumer reviews are not a stand-alone control, only a piece of the control puzzle.

2. Product liability litigation. Yes, it's coming if not already occurring. Face it, if you can find a lawyer able to beat a restaurant for serving too hot a cup of coffee, you can find a lawyer able to beat a medical app for allowing your medical data to become corrupt. Still, because it can take up to two years for such product liability litigation to emerge, this is not a preventative except in the long, long-term. Product liability litigation is only another piece of the control puzzle. If nothing else, right now, medical app makers will want to include some level of documented risk assessment to patient data as part of their development process, otherwise, expect to defend why you didn't when you sit before the court in 18 months.

3. Software quality control practices. Great in theory, often poor in practice. The reality is that often companies cut quality control in order to rush products to market. When a medical app can be written and quality checked by the same person all in the span of a 14-hour day, software quality control is not a stand-alone data integrity control to rely upon. Nonetheless, I'd argue it is still a part of today's control puzzle. Everything from ISO to CMM should be on the table here, and it'd be nice if we could start to see some sort of reference by medical app makers to the software quality coding method used to make their app and its inevitable updates.

4. Part 11. Yes, I said it. 21 CFR 11 Electronic Records; Electronic Signatures. Now, before you bring up the spectre of "validate everything" (and trust me, as a recovering "validate everything" addict, I've got a lot of personally painful, embarrasing stories), I'm discussing how Part 11 (and the EU's Annex 11) are interpreted and enforced today. Today, Part 11 is all about data integrity - ensuring that data that is trustworthy. And isn't that the core question we just defined above?

So if a medical app provider can show that his/her medical app maintains data with integrity (i.e., is Part 11 compliant), isn't that enough for the vast majority of the 18,000+ medical apps out there?

Coincidentally, Sweden's Medical Products Agency just released a guide to the EU's medical device directives that discusses controls, risks, and expectations for medical software - including medical apps. Download a PDF of Sweden's guide here. It's approach seems quite reasonable. Makers of medical apps are to conduct a risk assessment of their app that includes risk to the patient (see control #2 above), and be able to demonstrate that the app meets its intended performance goals (see controls #3 and #4 above). Finally, the guide notes that smartphones and tablets, etc., will never be considered (and regulated as) medical devices unless they are specifically converted to be a medical device.

If only we in the States could be so reasonable....

Posted at 11:04 AM in FDA Intel, FDA regulation, IT Compliance (Part 11), Medical Apps, Medical Devices, Records Management & Retention | Permalink | Comments (0) | TrackBack (0)

04 June 2012

From the Medtech QA/RA Global Conference

New European medical device regulations are due within 18 months. The new rules will update the current Medical Device Directives (MDDs) for the 21st century, and close the gaps so brutally uncovered by the PIP scandal and the metal-on-metal issues. Industry is proactively adjusting their quality systems and regulatory compliance programs while key executives are encouraging EU regulators to avoid US-style over-regulation.

These were the principle themes infusing the two-day Medtech QA/RA Global Access 2012 conference hosted by the Irish Medical Device Association (IMDA) in Galway, Ireland last week. With over 250 medical technology companies calling Ireland home, including 11 of the top 13 device firms in the world, Ireland has become Europe's center of excellence for devices. And IMDA's Medtech meeting is Ireland's flagship conference.

Much of Day One was devoted to discussions of the planned MDD revisions, with speakers from the European Commission, the European Parliament, the Irish Medicines Board (IMB), Eucomed (the Advamed of Europe), and industry. Europe encourages "responsible innovation" by relying more upon vigorous postmarket surveillance, inspections and adverse event reporting rather than any pre-approval scheme such as the FDA's 510k. Instead, the EU has only pre-market assessments and the CE mark. IMB's Ann O'Conner noted that 65% of vigilence reporting leads to product recall and removal. This state of affairs, with its regulatory burden primarily on the postmarket stage, allows for rapid inclusion of new technology, and new scientific and engineering innovation, an approach I advocated in my latest book, Get to Market Now.

The EU's new MDDs will require a number of elements that are outlined in Global Hamonization Task Force (GHTF) guidelines such as:

Summary technical evaluation document (STED);
Unique device identifiers; and
Adoption of the GHTF's four risk categories for medical devices.

For readers of my client newsletter, SmarterCompliance, adoption of GHTF guidelines should come as no surprise. FDA is moving to GHTF inclusion as well, albeit a bit more slowly than Europe. Whether FDA's "slowly but surely" pace of harmonized rule adoption will inadvertently put US-based device makers at a disadvantage on the global marketplace remains to be seen. European parliamentary elections are scheduled for June 2014, so expect the new MDDs to be in place by then if not sooner.

In addition to a high-level presentation by FDA on "possible, eventual 510k updates," the rest of Day One was taken up with surveys of the state of device regulations in India, China, Russia, the Middle East and North Africa.

Day Two of the conference saw speakers delve more deeply into practical implications and challenges behind the new rules. One set of challenges will be the new clinical rules in the updated MDDs. The IMDA is hosting a two-day conference later this year to address the new EU clinical evidence rules.

I had the privilege of presenting on elements of a defensible record-keeping program for complaint handling and medical device reporting. The message I had for attendees was two-fold:

First, it is clear that complaint handling records and complaint files hold both regulatory and legal risks. Focusing only on quality system compliance can leave a firm vulnerable to disgruntled customers increasingly willing to file a lawsuit to get monetary compensation. Thus, quality auditors must also assess the content of complaint records to help minimize risk to their companies.

Second, complaints can come into a device company through more than just "official" channels. Whether a complaint is made to the saleswoman manning a conference booth or to the company vice-president speaking to a patient advocacy group, each person dealing with the public must receive some level of complaint handling training.

As with any in-person compliance speech or workshop I provide, I gave attendees handouts to help with both of these issues: an internal quality auditor checklist for reviewing complaint files and a list of complaint documentation do's and dont's.

The next IMDA Medtech conference is scheduled for 2014 just as the new EU MDDs come into force. It promises to be an exciting event, so keep an eye out for announcements.

In the meantime, consider attending some of these events where I'll be offering advice on optimizing your quality system and regulatory compliance programs:

June 14 teleconference on defensible documents
June 22 speech on the role of IT departments in effective regulatory compliance
July 25 teleconference on effectively managing an FDA inspection
July 31 workshop on 21st century supplier management and qualification

More upcoming lean compliance events can be found on my upcoming events page on the Cerulean website.

Posted at 10:50 AM in Event & Publication Calendar, Lean Compliance, Records Management & Retention, Regulatory Intelligence | Permalink | Comments (0) | TrackBack (0)

23 April 2012

Lowering Product Liability Risk with Supplier Due Diligence

Earlier this year, I spoke with medical product liability expert and lawyer, Sara Dyson, now an executive with MedMarc Insurance Group. As part of March's SmarterCompliance newsletter, her interview focused on ways to reduce drug and device product liability risks through effective supplier due diligence and vendor qualification.

Some excerpts:

SmarterCompliance: Does a product liability lawsuit emerge fairly quickly once the product is distributed or a clinical trial is run?

Dyson: On average, it takes about two years after the original problem for the lawsuit to materialize. This is why companies are so easily caught off guard. It’s not the most recent batch or lot that rolled off the production floor that is the subject of a lawsuit; it’s an historical lot or batch.

The lawsuit may resurrect a problem that the company has already otherwise addressed. Firms without an effective records retention schedule and policy will suffer as far too many old documents that were eligible for destruction were, instead, kept and are now available to the plaintiff to make his/her case.

SmarterCompliance: What makes the discovery phase of a lawsuit so dangerous? Is it because records, data, emails, samples, and so on from at least two years ago have to be turned over to the plaintiff’s lawyers?

Dyson: Yes. That’s why both the initial due diligence and ongoing monitoring of suppliers is so important. You want to have a good track record of documents showing your efforts to consistently evaluate and oversee your suppliers.

Additionally, too frequently, companies have not implemented document management plans or have out-of-date record retention rules, meaning that there is an abundance of documents that must be sorted through to locate relevant information. This then bogs down the discovery process and increases costs.

It takes about two years after the original problem for a liability lawsuit to materialize.

SmarterCompliance: What are some steps – beyond looking at additional research points during initial supplier evaluation – that supplier due diligence and oversight teams need to take?

Dyson: You may want to hire a third-party expert to show your supplier oversight team members how to review supplier oversight records to find hidden gaps and risks. For instance, a sponsor of a clinical trial run by a contract research organization (CRO) might want to hire a third party to train their clinical project managers on how to review the CRO’s qualification of various clinical sites, sort of a train-the-auditor type of session.

To read the rest of the interview and see all nine critical points that Ms. Dyson recommends be incorporated into your supplier management and qualification program, you'll need to subscribe to the monthly regulatory intelligence and quality system newsletter, SmarterCompliance.

You can read more ways to reduce medical products liability risks at MedMarc.

Posted at 10:17 AM in Event & Publication Calendar, Lean Compliance, Supplier Management | Permalink | Comments (0) | TrackBack (0)

02 April 2012

FDA Compliance Training - Onsite Workshop or Offsite Class?

Which is better - hiring a consultant to come and conduct an onsite workshop for my team or sending folks out to various third-party classes and industry conferences? Well, to paraphrase the FDA, it depends.

There are three typical considerations: cost, time, and customization. Some folks add "networking" and while I think there is truth to this, valuable networking is often outside the scope of your control. The person you send to the conference or class could be rather introverted, or the other attendees are not that interested, and so on. Thus, in terms of weighing the considerations, I don't add "networking," and instead add "expert advice specific to me."

Any measure of return on investment (ROI) has to address all four of these - and especially so for FDA compliance training or FDA quality systems training wherein cost control is a simple business reality. So let's look at each in turn, and use this to help make the determination.

Cost

The cost of training - whether an internal workshop or sending a team to external training - boils down to the following:

Per attendee registration fee
Per attendee travel
Per attendee training material

All things being equal, if we treat the trainer(s) as an "attendee" then the cost of an inhouse workshop is always cheaper than the cost of sending a team to an external activity.

Example

Assume a team of 10 and 1 trainer.

To send the team out will require 10 registration fees, 10 travel expense sets, and 10 sets of training material.

To bring the trainer internally will require 1 "registration fee" (workshop cost) that may be equal to the cost of 10 different registrations, so we should expect only a small savings here (if the registration fee is $500 per person and the internal workshop is $5,000, it's equal). The 10 sets of training material will still have to be purchased, so no savings here. But savings does come from reducing travel from 10 people down to 1. Unfortunately, for many companies, this comes out of a different budget (travel vs. training line items) and thus may not serve as a true savings to a department (although it is an overall company savings).

If we look at computer-based training such as attending a compliance teleconference/webinar or purchasing a recorded version, we can often get the cost down for the "registration" and eliminate the travel. As we'll see below, though, this eliminates the ability to achieve the other 3 factors, starting with timing.

Time/Schedule

To put it simply, to have someone out of the office - regardless of the technology tools you give them - costs productivity. Most of us view travel time as (some degree of) time away from the office or, at minimum, reduced work intensity level. Thus, while we check email and might work on Word or Excel or Powerpoint documents, by and large, we are not as productive traveling as are when we're plugged in at the office, available for spur of the moment questions, meetings, informal discussions, and so on.

Thus, time spent traveling to training acts as a drag on productivity.

There is also the additional challenge - and a very real one in today's fast-paced business climate - the schedule. If an external class or conference, or a webinar, is not held when we need it, then we don't go. Or the timing of the event might be incredibly inconvenient - maybe only 2 of the 10 team members can attend.

Conversely, with an onsite workshop, the timing and scheduling is up to you. You are in complete control. And this degree of control is hard to beat.

The only exception is IF - and that's a big IF - a pre-recorded FDA compliance/quality system webinar or teleconference happens to have taken place before you needed it (so it's available). At best, this is a 50-50 proposition.

Thus, we can see that in terms of timing and scheduling (and productivity), more often than not, an onsite workshop is better than waiting for the right external class at the right time and hoping it comes before it's too late. I have a friend who tells a great - albeit tragic - story about registering and waiting to attend an upcoming webinar on step-by-step FDA inspection readiness only to have the FDA show up on the morning of to begin their inspection. Needless to say, she and her team missed the webinar.

Customization

Simply put, for anything external - attendance at a class or industry conference or a generic compliance webinar - customization does not exist. Period. You get what the webinar, conference, and third-party planners involved believe will bring them the greatest amount of attendees (i.e., revenue) so it's always hit-or-miss as to how helpful any external event will be to your specific questions, concerns and needs.

On the other hand, an onsite workshop can be just as generic if you fail to work with the trainer/consultant to ensure customization that you need.

Here's the process I usually go through:

Initial discussion - this could be through email or phone
Draft high-level outline and agenda of the workshop - the goal here is to make sure I'm hitting all the big issues of concern and to get my host to think "Hmm...what else?"
Second discussion - often this is a teleconference with the host and his/her colleagues to discuss very specific questions within those bigger items they need answers on
Draft the workshop presentation - this gets sent to the host to review
Finalize the presentation and handouts

The point is that by the time I arrive to conduct the workshop, my host and his/her colleagues knows that they will get all the answers to their questions. This is a great feeling to have heading into an FDA compliance training session.

I also like to make sure to leave time on the agenda to do more than just Q&A, I love to get hands-on walkthrough of their processes and facilities in order to really bring home the points I made. This is what I'll call the fourth consideration, "Free Consulting."

Free Consulting

One topic I'm often asked to speak on is 21 CFR 11 or Part 11 compliance - what it looks like today, how to go about it cost-effectively, how FDA enforces Part 11 today, etc.

So, invariably, I run the workshop, and then, as part of the agenda, I spend a few hours with the team walking around to their various points of concern - in the factory, in the labs, in the offices. In essence, I'm taking them on a walkthrough of a mock FDA inspection.

And it's fascinating watching folks who, just minutes ago were nodding their heads at "don't share passwords," go to a computer system to login, announce "Oh, this is Mike's login - no problem, here's his password" (and they lift up the keyboard to reveal a sticky note of userIDs and passcodes).

Of course, I raise my eyebrows and say, "ahem." And everyone pauses, confused for a split second - and then, voila, the training sinks in. "Ohh...."

This is what I call "free consulting" - spending a few hours doing a real-world walkthrough of issues and questions in your environment when all you've paid for is an FDA compliance training workshop.

Final Thoughts

When you bring in someone to conduct an onsite workshop, make sure that individual comes with good recommendations - don't just pick someone because they spend $10,000 a month on Google advertising and their ad popped up first. Look at their previous attendee testimonials (there should be more than three or four), ask to see the trainer's resume/CV. Find out if they are willing to sign your non-disclosure agreement (it is your information, questions, etc., afterall).

Make sure that you and your team will have real-world, tangible - and accomplishable - next steps to take home as part of the training. Ensure that helpful handouts - checklists, article reprints, etc. - will be provided. And find out if the trainer is willing to be contaced over the next few weeks after the training with follow-up questions.

All of these will help customize your training experience and help you rapidly show a positive ROI.

Upcoming Events

Don't forget to join me:

April 26: How to Captivate Your Audience with Compliance Training

April 30: Step-by-Step Guide to FDA Inspections

May 23: FDA and Qualifying Virtual Suppliers

Posted at 08:31 AM in Event & Publication Calendar, Leadership Quick Tips, Lean Compliance | Permalink | Comments (1) | TrackBack (0)

11 March 2012

From the NIH - Biotechnology Landscape 2020

Last week I spoke to the NIH biotechnology business leadership in Bethesda, Maryland. To the standing room only crowd, I laid out the challenges that we face over the next decade - the rising cost of new drug development, the increasingly poor odds of success using traditional development methods, and the insidious risks associated with a push for more and more revenue while being slow to adopt more modern, proven (at least outside the biopharmaceutical industry) means of new product development.

Here are some the statistics I provided based on years of research and information gathering:

From lab to market, the chance of success is 1 in 205
And only 1 in a 1,000 to turn a profit
And only 1 in 5 will break even
75% of all prescriptions in the US are for low-cost generics
Only 33% of all biopharmaceutical firms are based in the US
47% of all R&D in US biotechnology companies is completely outsourced - those firms have zero labs
Over the next 18 months, the 8 big pharma/biotech companies will lose - from loss of patent protection - more money than the entire GDP of the continent of Africa and 90% of the continent of Latin America

As you can see, looking to "emerging markets" (such as Africa and Latin America) is not going to make up for the lost revenue. In addition, countries from China to Germany to Italy are mandating cuts in pricing to all drugs - new and old.

I then discussed potential ramifications:

Big bio/pharma firms stuck with organizational structures and departmental fiefdoms may be too slow to adapt, leading to constant rounds of cost-cutting (i.e., layoffs and outsourcing) and mergers
Small, nimble and largely virtual companies - biotechs, combination device firms, small pharmas - will fill the void left by struggling big pharma

These are not new predictions - others have made them before - but then I went on to discuss some impacts to the job market for biotechnology. Here, on the blog, I'll simply mention that over the next decade, we should plan for:

Project-based employment (such as a contractor/consultant/outsourced vendor)
LIttle company loyalty for those not vested in the small pharma, virtual biotech startup
Need to keep our job skills honed - technology/scientific skills are easily atrophied and in a global economy, it is more likely a small business employer will hire a different contractor/outsourced vendor rather than spend money on training anyone not part of the small company
The increasing adoption of new product development methodologies such as quality by design
A serious need for data integrity expertise for all the various clinical trials and studies
The need for cost-effective, streamlined quality systems - you can't comply inefficiently in a small company

A number of the attendees asked superb questions and offered some really great insights. One discussion we had revolved around how to lower the cost of healthcare overall, which in turn would then help lower the cost of medicines in a more controlled manner (rather than the precipitous patent cliff). One scientist visiting from Mexico noted that when a patient goes to the hospital, in order to keep overhead low, patients are given the opportunity to buy any drugs needed themselves rather than going through the hospital.

I look forward to talking with the group again next year. It's always quite energizing to layout the challenges and see folks willing to roll up their sleeves, get creative and get problem solving. For all the worries around the landscape ahead, I think we're growing a cadre of entrepreneurial scientists and engineers who will surmount the hurdles ahead.

Posted at 11:25 AM in Event & Publication Calendar | Permalink | Comments (0) | TrackBack (0)

04 January 2012

FDA Forecast for 2012

Expecting something from the FDA is a risky endeavor, and that makes it all the more worthwhile to read the tea leaves every once in a while.

*Note: This blog post is excerpted and adapted from Cerulean's special FDA in the New Year issue of our SmarterCompliance regulator intelligence newsletter, a yearly forecast of FDA activities and challenges in the new year along with specific recommendations and suggested activities for quality, regulatory affairs, records management, IT and other compliance executives.

General Outlook for FDA in 2012

The agency will struggle to maintain traction in 2012. Congress began second guessing a number of the agency’s actions in 2011. With tight budgets, no real money to spend and heavy lobbying pressure, Congress will continue to pull the FDA’s leaders into hearings and push FDA for new reports on its activities. This will divert agency energy away from making meaningful progress on the broad array of challenges faced by a government agency that oversees at least 27% of the US economy.

Meanwhile, FDA executives will have to ride through congressional hearings and inquiries with calm as President Obama cannot afford embarrassments or distractions in an election year. Expect Republicans in Congress to try to make the most of any FDA missteps. This will act as a drag on agency momentum and further drive downward agency morale. Congressional negativity had a poor effect on the agency in 2011, and we expect more of the same in 2012. Sadly, this will result in more retirements from the agency, continuing the loss of institutional knowledge.

Implications

FDA’s continuing knowledge loss, its growing reliance on external regulatory science partnerships, and congressional pressure to "encourage innovation" (i.e., foster jobs in an election year) will leave the agency vulnerable. If you have borderline technologies or medicines that will be made in the US, bring validated, independent science - with data that has integrity - to back up your claims (or counterclaims), the agency may be forced into a stalemate you can favorably resolve with post-market surveillance promises. Even if you are in a device firm, look to recent REMS guidance and examples to pro-actively propose a series of post-market surveillance activities and patient safety control measures.
Emphasis on corporate responsibility at the executive level will continue as a subtext of inspections. As we predicted in 2010, this became evident in 2011 with the increased emphasis on the Park Doctrine. Expect more of the same in 2012; the more FDA can showcase industry executives who ignored patient safety regulations, the greater leeway the agency will gain in congressional hearings and in budgetary battles. Thus, if you've been putting it off or haven't done it regularly enough, this is the year to review with senior management their role and seven key responsibilities in ensuring an effective quality system (see a related webinar on January 31 on FDA expectations for senior management).

Want More?

December's issue of SmarterCompliance included 32 outlooks for FDA in 2012 like the ones above, along with 24 specific recommendations for subscribers to consider adopting in their organizations. Get your copy of the issue by subscribing today.

And on another note - FDA has again redesigned its website. For those of you who remember the 2010 redesign, don't start redoing the bookmarking immediately, wait 6-8 months for the agency to get all the kinks worked out. Currently, a number of the links on the new fda.gov landing page don't work or send you off in the wrong direction. Nonetheless, the redesign will be helpful when its complete (Yes, properly functioning links are part of a completed redesign - you can't give a house an exterior paint job and call it "newly renovated").

Here's to a positive 2012 full of easy surprises.

Posted at 10:48 AM in FDA Intel | Permalink | Comments (0) | TrackBack (0)

Practical FDA compliance intelligence and insights