Compliance Zen: Data Integrity & Part 11

Data Integrity & Part 11

24 August 2015

5 Helpful Data Integrity Resources

Looking for reliable, "how to" information around data integrity on the web can be a bit of a challenge. One man's "data integrity" is another man's "data quality" is another man's "data governance." Without delving into the minutiae of each of these perspectives, I thought I'd offer up five of the resources I frequently call upon when conducting data integrity audits and data integrity training.

MHRA Inspectorate Blog on cGMP Topics

Recently, the UK's MHRA has run a series of blog postings on data integrity - what it is and what it ain't from the regulators perspective. Here are the three worth reviewing:

The last one is of particular importance because so often cGCP compliance gets the short end of the stick when it comes to public data integrity enforcement. While GMP warning letters get media attention, when clinical data integrity fails, firms can actually go out of business as FDA and other regulators reject significant parts of submissions such as multiple investigator sites or send back complete response letters that jeopardize investments and raise the ire of shareholders. Clinical data integrity issues don't make the news often, but just one clinical trial with poor data integrity can easily cost a company years of effort and millions of dollars down the drain.

FDA Guidance on BECS Computerized System Validation

If you've been wondering why people are reopening and reviewing FDA's 2013 guidance, Blood Establishment Computer Validation in the User's Facility, then the short answer is that it offers fairly concise information and guidance on what FDA expects around modern computerized system validation when it comes to testing and ensuring data integrity. Be aware that way back in the preamble to 21 CFR 11 Electronic Records; Electronic Signatures, question #65, FDA strongly suggested that this guidance (the draft version at least) was essential reading for all industries.

Responsible Conduct of Research at Northern Illinois University

This collection of webpages includes a nice summary of data integrity control points around data collection for scientists and researchers. It includes elements of both quality control and quality assurance, and provides additional reference documents.

HHS HIPAA Security Series

Whether your organization is regulated by HIPAA or not, a review of the HIPAA Security Series #4 Security Standards: Technical Safeguards newsletter from 2007 is well worth your time. The 17-page newsletter walks through specific technical security safeguards to put in place and test around data; safeguards that look remarkably (or not so remarkably, depending on your perspective) like those found in 21 CFR 11, Annex 11 and multiple guidance documents.

FDA's Application Integrity Policy - Points to Consider

Primarily used for submission-related data integrity concerns, parts of FDA's Application Integrity Policy are important to review regardless of where you sit on the cGXP continuum. In particular, review FDA's Points to Consider for Internal Reviews and Corrective Action Operating Plans (caution: this FDA link can sometimes take forever to open). Even though this is from 1991, there is a lot of good information within this section of the policy (e.g., it's an oldie but a goodie).

Of course, this all presumes you haven't already bookmarked Cerulean's resource library for data integrity-related articles, case studies, interviews, and so on.

Posted at 01:10 PM in Data Integrity & Part 11, Recommended Reading, Records Management & Retention | Permalink | Comments (1)

27 April 2015

Parsing Data Integrity Definitions

Earlier this year, the UK’s MHRA published GMP Data Integrity Definitions and Guidance for Industry. This sixteen page document lays out definitions of various data integrity terms such as “data lifecycle” and “metadata” and “primary record” used by MHRA regulators and inspectors. Whether your firm sells medicinal products in the UK or not, this guidance document is well worth the time to read. Embedded throughout the document are multiple suggestions and expectations of real-world regulated data integrity controls that MHRA expects – and that FDA expects (at least according to public FDA Warning Letters issued over the past five years).

Amongst the various definitions and example controls set out by MHRA, are these four:

Data integrity
Data lifecycle
Raw data
Original record/True copy

Just these four terms have caused a great deal of consternation and confusion in the industry, and MHRA sets out to provide a framework within which to consider controlling the conversation and the data integrity expectations.

Data Integrity is “The extent to which all data are complete, consistent and accurate throughout the data lifecycle.”

Real-World Implication: In order to ensure data accuracy, legibility, consistency, originality, attributability, completeness, etc. throughout the data lifecycle, data integrity controls need to exist all along the data chain-of-custody – from initial data creation, data processing and manipulation and usage, data transmission and/or interim storage, and then finally through long-term data archival and retention. Computerized system validation is only going to go so far. Firms need data integrity policies, procedures, audits, training, and so on throughout all four stages of the data lifecycle.

Data Lifecycle is “All phases in the life of the data (including raw data) from initial generation and recording through processing (including transformation or migration), use, data retention, archive/retrieval and destruction.”

Real-World Implication: All four stages of the data lifecycle need to be controlled, especially if the firm has a supplier create, manage, use, store, transmit, et al regulated data on its behalf. Data integrity controls must exist within – and a firm must audit – suppliers dealing in regulated data. Firms may want to obtain help from a data integrity expert to identify appropriate data chain-of-custody controls to insist upon at suppliers. Not all data integrity controls are created equal, and more data integrity should exist at a contract manufacturer or clinical research organization than at a supplier who simply prints product inserts.

Raw Data is “Original records and documentation, retained in the format in which they were originally generated (i.e. paper or electronic), or as a ‘true copy’. Raw data must be contemporaneously and accurately recorded by permanent means. In the case of basic electronic equipment which does not store electronic data, or provides only a printed data output (e.g. balance or pH meter), the printout constitutes the raw data.”

Real-World Implication: Conversely, for data that are used to generate chromatographs, spectrographs, and other visual analyses, the raw data will likely need to be retained in its original, digital form. As FDA notes, “The printed paper copy of the chromatogram would not be considered a “true copy” of the entire electronic raw data used to create that chromatogram, as required by 21 CFR 211.180(d). The printed chromatogram would also not be considered an “exact and complete” copy of the electronic raw data used to create the chromatogram, as required by 21 CFR 211.68. The chromatogram does not generally include, for example, the injection sequence, instrument method, integration method, or the audit trail, of which all were used to create the chromatogram or are associated with its validity. Therefore, the printed chromatograms used in drug manufacturing and testing do not satisfy the predicate rule requirements in 21 CFR Part 211. The electronic records created by the computerized laboratory systems must be maintained under these requirements” [see FDA's Level 2 FAQs on cGMPs].

In other words, there is no getting around the need for data integrity controls in the 21^st century.

Original Record/True Copy is “Data as the file or format in which it was originally generated, preserving the integrity (accuracy, completeness, content and meaning) of the record, e.g. original paper record of manual observation, or electronic raw data file from a computerized system; a True Copy is an exact verified copy of an original record.”

Real-World Implication: This definition and its attended verification expectations is not just an MHRA expectation, it’s been a legal and regulatory expectation since the early 1990s, embedded in FDA 21 CFR § 11 (e.g., Part 11), the US Uniform Electronic Transactions Act of 1999, the international legal concept of a “certified copy,” parts of FDA’s Application Integrity Policy of 1991, and the most recent, internationally accepted British Standard 10008 Evidential Weight and Legal Admissibility of Information Stored Electronically (2014) that I was responsible for reviewing, editing, and verifying late last year.

MHRA’s data integrity definition guidance is one of many examples of insight into how data integrity controls allow the regulator – and thus the patient – to trust and rely upon your data claiming product safety and efficacy. While digital data integrity has been an established legal and regulatory principle for several decades now, the controls around data integrity are constantly evolving as technology, businesses processes, and organizations evolve. As should be evident from just the above four definitions, data integrity is not just an IT concern or a quality concern or a regulatory concern.

Data integrity is an issue of trust. Either all the regulated day your organization generates, obtains from suppliers, uses, relies upon, and archives is trustworthy or it isn’t. You can’t have a little bit of data integrity just as you can’t be a little bit pregnant. Your data is either trustworthy or it isn’t.

If you need help with regulated data integrity chain-of-custody controls on any or all of the four stages of the data lifecycle, contact a data integrity expert through my firm’s website, Ceruleanllc.com.

Posted at 08:36 AM in Data Integrity & Part 11, Records Management & Retention | Permalink | Comments (0) | TrackBack (0)

10 March 2015

More FDA Data Integrity FAQs

FDA updated its FAQ page on Good Manufacturing Practices with several data integrity and Part 11 related questions and answers, including:

Why does FDA object to using actual samples to perform system suitability testing?
Why is FDA concerned with the use of shared login accounts for computerized systems?

The answer to the latter should be obvious. You can't prove the authenticity of the data or hold the data owner accountable if you cannot identify who actually created or modified the data. Shared logins blur the lines and hide clarity around who created, or modified, or destroyed data.

As regards to using actual samples to perform system suitability testing, here's what FDA states:

"FDA wants to discourage the practice of “testing into compliance.” In some situations, the use of actual samples to perform system suitability testing can be a means of testing into compliance.

According to USP, system suitability tests should include replicate injections of a standard preparation or other standard solutions to determine if requirements for precision are met (ref. USP General Chapter <621> Chromatography). System suitability tests, including the identity of the preparation to be injected and the rational for its selection, should be performed according to the firm’s established written procedures and the approved application or applicable compendial monograph (§ 211.160).

If an actual sample is to be used for system suitability, it should be a properly characterized secondary standard and written procedures should be established and followed (§ 211.160 and 211.165). All data should be included in the data set that is retained and subject to review unless there is documented scientific justification for its exclusion."

(see http://www.fda.gov/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/ucm124787.htm#7)

One way to read this is to state that the use of actual samples can be too tempting for some firms. Better for firms to all use industry-standard samples (e.g., standard solutions).

From FDA's perspective, if a system is tested using a standard solution, and the system works fine; then when using the firm's actual production samples, the system produces errors, the system is not at fault - the firm's actual product is faulty. This is FDA's logic and aside from some unique, one-off situations, it's difficult to disagree.

Notice that all data integrity FAQs at FDA are filed under the "Records and Reports" heading; again emphasizing that data integrity and Part 11 compliance are NOT about computerized systems and software per se, and instead about:

Reliability and integrity of the regulated data and records; and/or
Reliability and consistency of any automated process that is a regulated process (e.g., an automated GMP or GLP or GCP processes).

If your firm needs independent guidance on data integrity, FDA recordkeeping and cost-effective Part 11 compliance, consider an onsite, private data integrity best practices workshop or an expert data integrity consultant.

Posted at 01:22 PM in Data Integrity & Part 11, FDA | Permalink | Comments (0) | TrackBack (0)

03 February 2015

Five FDA Part 11 FAQs

As part of my work with FDA data integrity and Part 11 compliance, I typically address dozens of unique client questions around data integrity and cost-effective Part 11 compliance. And yet, in nearly every consulting engagement, conference speech, or private data integrity corporate workshop, people naturally end up asking a handful of fairly similar questions.

Below are five frequently asked questions that I often receive around Part 11 and data integrity:

1. What are some specific trigger events that should cause us to re-evaluate - or at least take a quick review of - our progress on data integrity and Part 11 compliance?

Clearly one trigger event is when the FDA (or a sister agency such as EMA) publishes a new regulatory guidance document related to Part 11 or data integrity, even if it may not appear - at first blush - that the guidance applies to your business. A perfect example is the 2013 FDA guidance, Blood Establishment Computer System Validation in the User's Facility.

Another trigger event might be if your organization makes a major policy or process change related to record retention. For instance, if your firm moves away from a traditional "print and retain" model of keeping required records to a more electronic archiving model. This would be a point wherein you would want to review your FDA recordkeeping policies and procedures, update them as necessary, and then pair them with a review of your data integrity controls around long-term data archival. Do you have the right policies in place? A good data archival retrieval auditing and sampling process? Has the process for data archival been validated?

A third trigger event to consider is if your organization undertakes a new business partner or a new supplier that will be creating regulated data on your behalf, storing regulated data on your behalf, or otherwise manipulating and processing regulated data on your behalf. Typical examples include a new contract research organization or a new contract manufacturing organization. Getting a data integrity audit of critical suppliers is increasingly a "must-do," especially for firms dealing with clinical data.

2. If our data is completely electronic - we use no paper source data at all - is there a requirement to print out our data in order to retain it for long-term storage?

No. Organizations are allowed to retain their data in a completely digital format. You can verify this by reviewing the various US-based data integrity regulations and FDA recordkeeping regulations (this list is valid as of January 2015). In the US specifically, the Uniform Electronic Transactions Act (UETA) and the Federal Rules of Civil Procedure (FRCP) require courts and government agencies to accept original source data and original signatures that are digital as long as some level of controls have been put in place to ensure the data (and any signatures) have integrity; thus, for FDA, those controls are spelled out in 21 CFR 11 Electronic Records; Electronic Signatures.

3. If we have some records in other languages and we do internal translations - including manual verifications by native speakers of that language - do the systems on which we do the translation work need to be Part 11 compliant?

No, in part because you are doing manual verifications of the translations by individuals fluent in that language. If your translation process was completely automated - say you were using Google Translate - and really had no clue if the translation was proper, accurate, grammatically correct, etc., and this was for records required under FDA statutes or regulations, Part 11 compliance would probably be the least of your issues. Part 11 is only designed to ensure that a digital record and signature are just as trustworthy as a similar paper record and ink signature.

If you had a paper, typed record translated by someone and you had no way to know or verify that the person's translation was correct, proper, grammatically logical, etc., you'd still have the exact same issues. Since you don't know the trustworthiness of the original record in its original language, you don't know whether the translated version of the record is accurate, complete, etc. That's one of the reasons that translation services use multiple translators to double- and triple-check each translation, and provide a certificate of accuracy.

It's my opinion that leaving the translation of a regulated record up to an automated translation software - no matter how good - without some level of post-translation verification is a huge risk, especially for FDA required records and records dealing product safety, efficacy and regulatory compliance.

4. In six months, we're moving to a new electronic system that will be validated for our complaint handling and CAPA handling processes - can we just tell the FDA investigator this and not worry about showing progress toward meeting Part 11 compliance?

Technically, if this was the only system that the investigator decided needed to be validated, and you could show some level of proof of purchase, the project plan, the vendor qualification status, and so on, then you *might* not need to worry. In reality, however, it is exceedingly unlikely that the FDA investigator will only see the need to confine Part 11 compliance and data integrity controls to just your complaint and CAPA data.

If you review both Part 11 and its preamble, as well as nearly all the Part 11 guidance that FDA has published since 2000, it should be clear that FDA consistently expects all the electronic records that you rely upon to make decisions around product safety, efficacy, and regulatory compliance to have integrity. In addition to validation, other data integrity controls need to be in place (validation cannot, by itself, for instance, prevent data fraud). Thus, you will want to have a plan - such as a site master validation plan or site master data integrity compliance plan - on which you can show progress and show how you ensure data integrity across the record lifecycle, from initial data creation to long-term data archival.

Lastly, it's important to always keep in mind that an audit or inspection is simply a "snapshot in time." So not having any progress on Part 11 will still likely net you a Form FDA-483 observation, but the proof you can show of impending validation completion plus all the current additional data integrity controls you do have might be able to mitigate that 483 enough so that you do not receive a Warning Letter citing poor data integrity. When I hold data integrity workshops, one of the significant section we always discuss is around all of the various data integrity controls that you can have beyond just "validation." Ironically, it's been my experience that many organizations do have multiple data integrity controls operating, they just don't realize it - or call them out as such - and so they do not get credit from FDA.

5. Is there any guidance available from FDA for qualifying or validating Excel spreadsheets?

Yes, although it's not a "guidance for industry" per se. FDA has published it's internal policy for how it expects Excel spreadsheets used for scientific calculations, formulations, macros, etc., to be validated. So one activity my clients undertake with is to review the FDA process Development and Validation of Spreadsheets for Calculation of Data, and then craft a reasonable, pragmatic spreadsheet macro validation SOP. It's important not to go overboard when applying controls to spreadsheets and trying to validate macros. If you review that FDA process, you'll see that if it takes you more than a day or two to validate a typical spreadsheet, you're probably doing too much - and that's a clear indication that you will save money, reduce your risk, and benefit from expert help on how to streamline and simply Part 11 compliance and FDA data integrity.

Are there any questions you frequently find come up in your organization around Part 11 or digital data integrity? Comment below or contact me directly.

Posted at 12:19 PM in Data Integrity & Part 11, Lean Compliance | Permalink | Comments (0) | TrackBack (0)

03 January 2014

FDA Inspection Handling – 10 FAQs and Tips for 2014

FDA inspections are stressful and worrisome. Failed FDA inspection costs include sales revenue loss, stock price decline, and public embarrassment from FDA warning letters and FDA-483 observations.

Every so often, it’s good to recalibrate by looking at frequently asked questions when it comes to FDA inspections. I’ve gathered these questions, answers and tips over the past two years with clients, and with current and retired FDA officials. When reading through these FDA inspection FAQs, use your own best judgment or that of an FDA expert you’ve hired to help you succeed.

1. Does FDA look at and trend product liability litigation for food, drugs, medical devices, cosmetics, etc. in order to figure out which companies to inspect?

Yes. The FDA is not blind to reality. FDA’s charter is to protect public safety. If people, through product liability litigation, are having to take matters into their own hands to go after companies for putting ineffective or unsafe products on the market, FDA could be seen as not performing its task. So yes, FDA pays very close attention to product liability litigation.

- summarized from Lori Lawless, FDA, Office of Regulatory Affairs, and Larry Spears, retired FDA Deputy Director for Regulatory Affairs

2. How does an FDA investigator prepare for an inspection?

Prior to an inspection, the investigator(s) will create an inspection plan that is largely based on the following information:

Any previous establishment inspection reports (EIRs)
Any previous FDA Form 483 observations, especially those that require follow-up
Company responses (to FDA-483s) and commitments
Firm’s website (including product literature, executive profiles, physical location profiles, recent press releases, etc.)
Consumer complaints that have come in since the last inspection
Adverse events that have come in since the last inspection
Any recalls or other field activities that have occurred since the last inspection
Any product submissions and applications, specifically to find critical components or ingredients or processes that were of concern to FDA reviewers
Online research through the web.

Online web research can be further broken into three main areas:

Online videos of your products in use (including if consumers have posted videos comparing/contrasting to other competing products, etc.)
Social media sites (especially for complaints about your product)
Searches for your company name or product name(s) along with key words (such as “review” or “fraud” or “FDA”).

- summarized from Rachel Harrington, FDA, Office of Regulatory Affairs and Tim Wells, retired FDA Team Leader for the QSIT Project

An effective, independent FDA compliance gap analysis can help you pinpoint areas to strengthen in your compliance efforts before the FDA investigator arrives.

3. Is a follow-up inspection (a closeout inspection from a warning letter) still a “regular” inspection?

Yes. FDA investigators treat a closeout or follow-up inspection as a normal inspection. You can be cited for new or additional items.

- summarized from Lori Lawless, FDA, Office of Regulatory Affairs

4. Do pre-approval inspections (PAI) rely upon QSIT, and if so, what level are they?

PAI inspections are Level 2 QSIT inspections by default. FDA reviewers of a submission will identify areas of concern for the investigator to look at during the inspection (such as GCP data integrity controls). PAI inspections may cover everything from nonclinical supporting GLP-compliance, through GCP compliance, to GMP compliance, and even delve into how the company will monitor and control the product once it is approved and on the market.

- summarized from Lori Lawless, FDA, Office of Regulatory Affairs, Erin McFiren, FDA, Office of Regulatory Affairs, and Tim Wells, retired FDA Team Leader for the QSIT Project

A level 2 QSIT inspection is a comprehensive inspection, covering all four major quality system subsystems - management controls, development, CAPA, and production and process controls – as well as reviewing the remaining three subsystems (facilities and equipment controls, materials and supplier controls, and records controls) throughout as these three subsystems cut across all four major subsystems. Thus, 21 CFR 11 controls will be reviewed and inspected throughout the PAI, not just during review of the design and development (e.g., design control) subsystem. Learn more about the details of Level 2 QSIT inspections at the FDA: www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm244267.htm

5. Will FDA investigators ask for supplier audit reports?

FDASIA 2012 expressly granted FDA the power to require supplier audit reports during regular inspections (see Title VII of FDASIA). That said, by internal policy, FDA discourages investigators from asking for the report in the hopes that this will encourage firms to be more candid and clear in supplier audits. Unfortunately, as was painfully shown during the recent Heparin scandal, FDA’s hope has not panned out. Far too many firms conduct “meet and greet” supplier audits with little meaningful impact. Thus, increasingly FDA investigators are taking advantage of FDASIA’s new powers and requesting copies of supplier audit reports.

It should also be noted that FDA has always requested supplier audit reports under various conditions as identified in the FDA Compliance Policy Guide, section 130.300, FDA Access to Results of Quality Assurance Program Audits and Inspections (www.fda.gov/ICECI/ComplianceManuals/CompliancePolicyGuidanceManual/ucm073841.htm):

During directed or “for cause” inspections of a sponsor or monitor of a clinical trial
In inspections where access to such records is authorized by statute (such as FDASIA)
When public safety is at risk
In litigation (or in support thereof)
When executing a search warrant
When a firm’s internal audit program is insufficient or otherwise deemed ineffective by FDA.

This last point is often overlooked. Technically, if the FDA investigator writes down a Form FDA-483 observation that a firm’s quality audit program is insufficient, the FDA investigator can then review the firm’s supplier audit reports. (Note: Personally, I’m not aware of any incidents where this has occurred, and so I encourage you to be cognizant that an effective quality system audit program is necessary to show FDA you are overseeing your suppliers appropriately.) It is thus in a firm’s interest to ensure that it has a robust, FDA supplier audit program that can withstand both FDA investigator and product liability litigator scrutiny.

Finally, always remember that FDA counts any corrective actions from supplier audits as CAPA documentation and freely open to review by any FDA investigator.

- summarized from Lori Lawless, FDA, Office of Regulatory Affairs, and Rachel Harrington, FDA, Office of Regulatory Affairs

6. How does computer validation play into regular inspections?

As of the end of 2013, FDA’s special enforcement of 21 CFR 11 (e.g., "Part 11") is still ongoing.

Part 11 will come up throughout an inspection as it is a regulation that cuts across all quality system subsystems. If records are used or kept in digital form, or if a computerized system is used to automate a regulated process (such as production, lab testing, etc.), then the FDA investigator will ask Part 11-relevant questions.

FDA looks to see if you are verifying the functions that you use of a software or a computerized system in your environment, especially those functions related to data integrity. For instance, with a spreadsheet macro, the FDA investigator will expect to see a simple verification of your use of the macro in your environment, documented with a validation protocol, document testing, and a summary report. Do not validate Excel, just the use of the macro within your environment. Questions that the FDA investigator might ask include: How do you know the results of the macro are correct? Are complete? Did not drop off various data inputs? and so forth. These types of Part 11 validation are the ones to concentrate on.

- summarized from Lori Lawless, FDA, Office of Regulatory Affairs, and David Chesney, retired FDA District Director

7. How does FDA handle a situation when – during photo taking during the inspection – confidential patient information and/or trade secret information is accidentally captured in the photograph?

FDA treats all photographs, videos, documents, notes, etc. as confidential. All such items go through FOIA to redact such sensitive information before they are released.

- summarized from David Chesney, retired FDA District Director

Personally, I suggest you consider making sure to identify in your inspection notes what photographs the FDA investigator took; if possible, take a similar photograph. Then, in your response to the inspection, make sure to identify the photograph and any specific confidential or trade secret information that may have inadvertently been captured by the FDA photograph. This will help FDA to redact the appropriate information while providing you some degree of assurance that they understand and acknowledge the situation.

8. Where is FDA on adapting or accepting remote or online/virtual inspections? Is FDA ready for online/remote inspections like a number of other notified bodies?

FDASIA 2012 granted FDA the power to conduct remote and even online/virtual inspections. However, FDA is currently not positioned to take advantage of this. The agency is planning to start a pilot program wherein part of the inspection will be conducted remotely (e.g., remote document review) followed by a briefer onsite inspection portion.

Keep in mind that at its core, FDA is a regulatory enforcement agency. As such, during inspections, it is technically collecting evidence. For companies doing all the right things, it is in their interest to have FDA investigators physically visit and see firsthand how well the company is doing. For firms with more … “soft” …. approaches to compliance, a remote or online/virtual inspection has less of a chance to uncover gaps. FDA is well aware of this. In order to address this, expect FDA over the next few years, to take a two-step approach to an inspection: part one is a remote review of policies, SOPs, etc., (presumably through PDFs sent to the agency); this will then inform and shape part two, the onsite inspection.

- summarized from Lori Lawless, FDA, Office of Regulatory Affairs, and Rachel Harrington, FDA, Office of Regulatory Affairs

When I conduct FDA compliance gap and remediation analyses, I prefer this two-step approach because it provides a high degree of efficiency, effectiveness, and enhanced ROI for everyone involved.

9. What are “management discussion items” and what are the implications to a firm?

Management discussion items are non-compliance observations not written onto the Form FDA-483. Management discussion items are compliance deviations that the FDA investigator believes to be of lesser significance than the documented 483s.

However…

Management discussion items can still end up as warning letter citations because the FDA district office or FDA head office believes they are more serious than originally assumed. Thus, if you address management discussion items in your response to FDA, you may want to notify the district that you are working to resolve the items as well as the written 483 observations.

Keep in mind that to FDA, as long as an observation of non-compliance was documented in the FDA investigator’s notes, written on a Form FDA-483, or spoken about to a firm's management, FDA considers the observation “documented by FDA.” FDA is, at its heart, an enforcement agency collecting evidence when it conducts an inspection.

Finally, be aware that management discussion items can be treated as repeat violations if found again in a follow-up or a second FDA inspection.

- summarized from Rachel Harrington, FDA, Office of Regulatory Affairs, Erin McFiren, FDA, Office of Regulatory Affairs, and David Chesney, retired FDA District Director

10. How long after an inspection will we receive a copy of the EIR (Establish Inspection Report) and/or any warning letter?

Technically, up to 45 days after the inspection. In reality, depending on the type, depth, and other FDA inspection conditions, it can be up to 3-6 months after the FDA investigator leaves. Nonetheless, your FDA inspection response and remediation plan is still due to the agency within 15 business days after departure of the FDA investigator.

- summarized from Lori Lawless, FDA, Office of Regulatory Affairs, Tim Wells, retired FDA Team Leader for the QSIT Project, and Larry Spears, retired FDA Deputy Director for Regulatory Affairs

If you have any further questions, or need help complying cost-effectively with FDA regulations, please contact me through my consulting firm, Cerulean Associates LLC.

Posted at 08:58 AM in Audits & Inspections, Data Integrity & Part 11, FDA, FDA Enforcement, FDA Regulations | Permalink | Comments (0) | TrackBack (0)

25 June 2012

Medical Apps, FDA and Patient Data Integrity

Two recent articles - one in the Washington Post entitled Health-care Apps of Smartphones Pit FDA Against Tech Industry and one in the Wall Street Journal entitled There's a Medical App for That-Or Not - have raised the spectre of how smartphone medical apps imply an imminent trainwreck between today's rapid-pace innovation and last century's slower-going FDA regulation.

vs?

What's the real question?

As I note in Get to Market Now!, new innovations and technologies emerge on average every 6 months while new or revised regulations take 12-14 years. Today, there are over 13,000 medical apps available for you and me; another 5,000 are available just for physicians and healthcare providers. By the time you finish reading this post, another medical app will have been published.

From a business perspective, the thought of FDA dragging down innovation to the rate of regulation is frightening. And while there is also the need to protect the public - and physicians - from medical apps that are unreliable, faulty, and just plain poor, is new regulation the answer? Is treating a $1.99 app like an MRI the answer? Innovation wouldn't stop. The price would just go up. Instead of paying $1.99, you'd just pay $1,990 for the app.

So, assuming that's not our goal, then what's the answer? Well, maybe we should step back from racing to find an answer, and reframe the question. Afterall, there's no point in arguing over the answer if we're not all answering the same question.

I suggest the real question has little to do with speeding innovation, keeping the public safe, enabling informed healthcare consumers, or making healthcare professionals more efficient. Those are all wonderful points, but they are not the core question behind how to, or even whether, we should regulate a medical app.

The real question is simpler: How do we - as a society - ensure that patients and healtcare providers can rely upon the health data used/maintained in a medical app?

Think about it. Would you want one of the regular updates to an app on your smartphone to corrupt all the previous data you had in it?

In today's video game market, data corruption is a painful reality becoming more and more common - patches and updates to games increasingly have to be withdrawn and redone because they accidentally corrupted and destroyed people's previous game data. It's too late for those consumers whose data files were destroyed.

"Well, sure," you say, "but those are game files. I mean, come on." And then think about it: is that what you want for your smartphone health app? You'd be hard-pressed to find a patient or a physician okay with running that risk for all their health data. Are you okay with all your health data and trends over the past year being wiped out while an update to your app is downloaded as you sit at Starbucks sipping that latte?

So this is the core question: how do we ensure that data entered into a medical app stays trustworthy?

And if we reframe it in this way, then we can cast about for already existing regulations, controls and tools. And yes, we already have them.

Today's Medical App Controls

I see four significant controls available today. The first two are pure market-driven, the second two are more "guiding hand" industry best practice combined with existing regulation:

1. Consumer reviews. Admittedly, there are some drawbacks to this as we don't know if the person writing the review is knowledgeable, and sites that rely on consumer reviews are usually fairly easy to game. So, consumer reviews are not a stand-alone control, only a piece of the control puzzle.

2. Product liability litigation. Yes, it's coming if not already occurring. Face it, if you can find a lawyer able to beat a restaurant for serving too hot a cup of coffee, you can find a lawyer able to beat a medical app for allowing your medical data to become corrupt. Still, because it can take up to two years for such product liability litigation to emerge, this is not a preventative except in the long, long-term. Product liability litigation is only another piece of the control puzzle. If nothing else, right now, medical app makers will want to include some level of documented risk assessment to patient data as part of their development process, otherwise, expect to defend why you didn't when you sit before the court in 18 months.

3. Software quality control practices. Great in theory, often poor in practice. The reality is that often companies cut quality control in order to rush products to market. When a medical app can be written and quality checked by the same person all in the span of a 14-hour day, software quality control is not a stand-alone data integrity control to rely upon. Nonetheless, I'd argue it is still a part of today's control puzzle. Everything from ISO to CMM should be on the table here, and it'd be nice if we could start to see some sort of reference by medical app makers to the software quality coding method used to make their app and its inevitable updates.

4. Part 11. Yes, I said it. 21 CFR 11 Electronic Records; Electronic Signatures. Now, before you bring up the spectre of "validate everything" (and trust me, as a recovering "validate everything" addict, I've got a lot of personally painful, embarrasing stories), I'm discussing how Part 11 (and the EU's Annex 11) are interpreted and enforced today. Today, Part 11 is all about data integrity - ensuring that data that is trustworthy. And isn't that the core question we just defined above?

So if a medical app provider can show that his/her medical app maintains data with integrity (i.e., is Part 11 compliant), isn't that enough for the vast majority of the 18,000+ medical apps out there?

Coincidentally, Sweden's Medical Products Agency just released a guide to the EU's medical device directives that discusses controls, risks, and expectations for medical software - including medical apps. Download a PDF of Sweden's guide here. It's approach seems quite reasonable. Makers of medical apps are to conduct a risk assessment of their app that includes risk to the patient (see control #2 above), and be able to demonstrate that the app meets its intended performance goals (see controls #3 and #4 above). Finally, the guide notes that smartphones and tablets, etc., will never be considered (and regulated as) medical devices unless they are specifically converted to be a medical device.

If only we in the States could be so reasonable....

Posted at 11:04 AM in Data Integrity & Part 11, FDA Intel, FDA Regulations, Medical Apps, Medical Devices, Records Management & Retention | Permalink | Comments (0) | TrackBack (0)

06 September 2011

Recent 21 CFR 11 Questions & Answers

Since FDA announced its intent to vigorously enforce 21 CFR 11, I've collected various questions posed by attendees at my workshops and speeches on 21 CFR 11 compliance. Now, one year later and a year's track record of Part 11-related FDA Warning Letters, I thought it might be time to walk through a few of the most common questions and answers. Hopefully, this will help you stay on the right track when it comes to validating non-product software, computerized systems and Part 11 validation.

Q: Will the FDA cite you for 21 CFR 11 non-compliance?

Yes...and no. Unfortunately, despite FDA's intent to raise the enforcement profile of Part 11, no Warning Letters actually cite 21 CFR 11, only the predicate rules. That said, the agency is trying to make clear the responsibility of firms to comply with Part 11 rules for electronic information:

You are responsible for the accuracy and integrity of the data generated by your firm. Provide a more comprehensive corrective action plan to ensure the integrity of all data used to assess the quality and purity of all drugs manufactured at your facility, including any registration lots. (Warning Letter to Cadila Healthcare, June 2011)

Or this one:

You are responsible for the accuracy and integrity of the data generated by your firm. A firm must maintain all raw data generated during each test, including graphs, charts, and spectra from laboratory instrumentation. These records should be properly identified to demonstrate that each released batch was tested and met release specifications. Appropriate record retention policies should also be in place. … Should product quality or safety concerns arise in the future, the original records pertaining to batches listed in an application may be integral in providing reasonable assurances to the Agency regarding a product and integrity of data submitted to support it. (Warning Letter to Ningbo Smart Pharmaceutical Co., February 2011)

As should be clear from the above Warning Letter excerpts, FDA’s enforcement emphasis for Part 11 compliance is all about how companies ensure — or fail to ensure — record integrity (including, as in the Ningbo situation, appropriate FDA records and document retention).

Q: Does the FDA conduct random 21 CFR 11 only inspections?

No. The FDA does not conduct random Part 11-only inspections. The only reason a stand-alone, "for cause" or PAI-type of Part 11 audit occurs is because the agency has very serious concerns regarding data integrity directly impacting product safety (i.e., impacting public safety). Since 1997, the only examples of stand-alone Part 11 audits that I know of involved one the following:

whistleblower complaint alleging data fraud (triggered a "for cause" inspection)
submission with serious data integrity issues (triggered a pre-approval inspection)
meta-analysis of adverse event reports, clinical trial data, etc. led to a "for cause" inspection of a contract research organization

The problem, of course, is that these situations ended up blind-siding the firms involved and their management. Thus it seemed like it was random. Executives had zero idea that these inspections would occur because the data in question was in a submission, in an adverse event report, or was part of a whistleblower complaint from a disgruntled former employee. This was all data and historical documents that the firm thought it was "done with" and there were no more risks when the FDA knocked on the door.

As I point out to my clients when I help them put in place lean Part 11 controls, the records and documents that trigger Part 11 concerns tend to be all the stuff that people have completed. You are no longer paying attention to such historical info. Ironically, once you're "done with" the processes and projects that generated the data, that's when FDA actually starts paying attention. So the key is to have Part 11 controls such as validation, qualification, electronic security, qualified IT vendors, and a FDA records retention policy that work for both active and archived records.

Q: Do I need to validate commercial software like Microsoft Word or Excel?

No. Nor will you be able to without significant input from Microsoft - input you will not get unless you can write a multi-million dollar check (and not have it bounce). Here's what George Smith, the chair of FDA's internal Part 11 working group has to say on this:

Validation is to intended use. Thus, the exact same two computers or two exact same software installations at two different companies produce two different sets of records.

In other words, you validate the process in which you use Word or Excel (or any other commercial software) for its intent (production and maintenance of a record, computation of a formula, etc.). The degree of risk associated with the process/data will drive the level of validation needed and the degree of Part 11 controls necessary on the automation involved and the records generated.

Thus, if I use a spreadsheet macro in order to calculate a critical quality attribute of temperature, then I'd validate the macro itself and ensure a significant number of controls on the macro (so it wasn't accidentally messed up if an Excel patch is auto applied) and on the data results. I would not go about trying to validate Excel as a piece of software. Incidentally, a good resource on spreadsheet macro validation in laboratory environs is Ludwig Huber's LabCompliance.com site.

Likewise, if I use Word to author SOPs, I would not validate Word per se but rather validate my SOP process that happens to rely upon Word to automate some aspects (spelling, etc.). In this light, my validation efforts will likely be very light (afterall, how many of us have the money and time to spend conducting process validation on our SOP of SOPs process?).

The key is to view any commercial software as a tool. When it comes to off-the-shelf software, think of Part 11 validation as automated process validation rather than computer validation. The Part 11 controls then largely center around ensuring data integrity (i.e., data integrity tips or steps).

Q: How do I deal with a software vendor who issues automated patches (such as virus scan engine updates, bug fixes, hotfixes, etc.) and won't agree to notify us ahead of time?

This is why you cannot validate commercial software - you have zero control over it. Without control, there is no validation.

And yet you still have to manage changes to the environment in which your electronic records exist. Remember, your personnel perform various regulated actions, undertake specific processes, and make decisions using those records (which are, in turn, reliant upon an IT infrasctructure that is in a "state-of-control"). This is how IT compliance, and 21 CFR 11 compliance in particular, goes awry. Where do you start? How do you control an IT environ over which your vendors exert considerable influence?

In general, the best answer is make the decision that my clients have taken - to bring an outside expert to either run a Part 11 workshop for the firm, to help draft 21 CFR 11 validation protocols, to conduct a mock Part 11 audit, or some other means by which your site specific questions can be addressed.

In the context of dealing with a vendor who issues automated software updates, the best approach that I've seen over the past decade take a three-phase tact:

Compile a "pre-approved" change list that then goes through normal change control
Conduct quick, basic, retrospective testing when such updates are noticed AND they may have an impact to the electronic data
Have Quality audit to the above.

Number two - the quick, basic, retrospective testing - can get tedious and potentially allow for IT and Quality to start arguing over what should have been noticed, what should have been retrospectively tested, etc. Avoid this by agreeing on some common criteria. For instance, any patch that states upfront it "affects data stability" (from an old Microsoft patch for Windows a few years back), should get some testing. Another example is large service packs (in other words, if the patch is big enough for the vendor to change its CD/DVD press labels, it's large enough for you to do some testing).

Next Steps

When was the last time you cringed after reading an email regarding Part 11 by someone in your organization? Or listened as someone listed off all the expensive, costly ways in which Part 11 was too much for your company? Maybe it was last week or last month. It’s not that your colleagues and team members don’t care about Part 11, it’s that they just don’t know how to move from last century’s misinterpretations and frustrations to today’s lean Part 11 compliance.

Your Quality, Regulatory Affairs, IT, Records Management and other operational employees must know how to work effectively and productively under Part 11 rules.

I started Cerulean Associates LLC to provide this type of practical, lean compliance advice on 21 CFR 11 compliance. As an FDA inspector-trained Part 11 expert, I have 20 years of business expertise being accountable for regulatory compliance (and the costly mistakes to prove it). If you'd like to learn more about avoiding FDA Part 11 and business trouble, visit my Part 11 consultant page or simply contact me directly.

I look forward to your feedback.

Posted at 04:37 PM in Audits & Inspections, Data Integrity & Part 11, Records Management & Retention | Permalink | Comments (0) | TrackBack (0)

01 November 2010

FDA's New Focus on Part 11

FDA's renewed emphasis on 21 CFR Part 11 is the subject of my audio-conference on Thursday, November 4th.

This past summer, FDA announced that it would step up increased enforcement of its data integrity and quality regulations known as Part 11.

Is this a return to "validate everything"?

Validation, legacy systems, audit trails, record integrity, and record retention processes will be under scrutiny by the FDA. With so many areas of focus and a short amount of time to prepare for increased enforcement, it’s essential to prepare now. But where should you start? Who should be involved?

Questions to be answered during the 90-minute Part 11 training program:

What are the top compliance failures cited in Part 11-related inspections?
What steps can you take to identify and address weaknesses in your electronic records?
How can you prepare your legacy systems for inspection?
What steps should you take to prove data quality and record integrity?
When do you need to have an audit trail?
What are the recent trends in FDA enforcement of Part 11?
What should you expect from an inspection that will tackle Part 11 compliance?

I've designed this to largely focus on areas of GMP, GCP, and QSR-related processes and sites.

If you'd like to register, please visit http://www.thompsoninteractive.com/site/offer.jsp?promo=FDAR4WC0&priority=FKYG90145

Hope to hear from you on the call, and please let me know if you've signed up - drop me a line!

Posted at 08:55 AM in Data Integrity & Part 11, Event & Publication Calendar, Records Management & Retention | Permalink | Comments (0) | TrackBack (0)

04 October 2010

FDA Part 11 and EU Annex 11 Discussion

FDA's renewed emphasis on enforcing 21 CFR Part 11 - along with the EU's re-issuance of Annex 11 - is the subject of my new webinar on Tuesday, October 12th.

If you're based in the US, clearly Part 11 is of concern, but if you're based outside the US yet sell products in the US, Part 11 needs to be on your radar. The same holds true if you're based in the US and sell products in the EU - you'll be complying with Annex 11 as well.

What will this mean for you?

FDA has begun extending routine inspections to evaluate compliance with Part 11 requirements to ensure companies are maintaining electronic records and document controls with accuracy, integrity, and authenticity. There are many questions about this effort, and worries that this presages a return to the days of "validate everything."

The EU recently issued its revised Annex 11 to the EU GMPs on electronic data integrity, and firms in the US are woefully unprepared.

During the program, I'll walk you through the scope of the new Part 11 enforcement program and compare it to Annex 11, offer insights into what inspectors are looking for, and provide suggestions on how to prepare your company for the upcoming inspections.

Overall agenda:

New requirements in Annex 11 and FDA's reinterpretation of Part 11
How to use risk-based decision-making to support your IT compliance plans
Steps to take advantage of vendor efforts, documentation, and services
FDA Part 11 citations associated with e-record integrity and data quality
Cost-effective strategy for complying with Part 11 and Annex 11

Attendees will receive bonus documents, a trial subscription to my FDA client newsletter along with some other freebie downloads. If you'd like to register, please visit the ExpertBriefings website at http://www.ExpertBriefings.com.