deficiencies Archives - European Industrial Pharmacists Group (EIPG)

Approval of the Data Governance Act, and EMA’s consultation on the protection of personal data in the CTIS


by Giuliana Miglierini The Data Governance Act (DGA) was approved and adopted in May 2022 by the European Council, following the positive position of the EU Parliament; the new legislation will entry into force after being signed by the presidents Read more

The transition towards EMA's new Digital Application Dataset Integration (DADI) user interface


by Giuliana Miglierini The Digital Application Dataset Integration (DADI) network project is aimed to replace the current PDF-based electronic applications forms (eAFs) used for regulatory submissions with new web-forms accessible through the DADI user interface. The European Medicines Agency (EMA) has Read more

IVD regulation in force: new MDCG guidelines and criticalities for innovation in diagnostics


by Giuliana Miglierini The new regulation on in vitro diagnostic medical devices (IVDR, Regulation (EU) 2017/746) entered into force on 26 May 2022. The new rules define a completely renewed framework for the development, validation and use of these important Read more

ICMRA published a Reflection paper on remote inspections

, , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

Remote inspections have become a widely used approach since the last two years to ensure the oversight of the compliance of pharmaceutical productions to regulatory requirements, as the prolonged lockdown periods determined by the pandemic made very difficult the maintenance of the regular schedule for on-site inspections.

A Reflection paper on the so gathered experience has been recently published by the International Coalition of Medicines Regulatory Authorities (ICMRA); the document addresses from the point of view of regulatory authorities the many issues encountered to establish appropriate modalities to interact at distance with the industrial counterparts by mean of digital technologies and suggests the best practices for the future. The analysis focused especially on remote GCP and GMP inspections.

The Reflection paper was drafted by a working group chaired by the UK MHRA and inclusive of representatives from the US FDA, EMA, Health Canada, Swiss-medic, HPRA Ireland, AEMPS Spain, ANSM France, PEI Germany, MHLW/PMDA Japan, TGA Australia, ANVISA Brazil, HSA Singapore, WHO and Saudi FDA.

The lack of a uniform definitions and approaches

Each national competent authority adopted during the pandemic its own approach to remote inspections, evaluating this type of opportunity on a case-by-case basis, making use of established quality risk management principles and tools to reach their decision (par. 3 of the Reflection paper enlists the more widely used parameters for risk assessment and management).Among the factors entering this preliminary evaluation are the regulatory compliance history of the inspectee, the scope of the inspection (pre-approval, routine or for cause), and the inherent risk associated with the activities conducted by the site, the types of products and the need for the product.

The term used to identify the at distance interaction with the company to be inspected also assumed a quite wide variability; “distant assessment”, “remote evaluation”, “desktop assessment” or “remote assessment” are other frequent declinations used to define oversight procedures run by using digital technologies, both at the national and international level.

The choice of the specific term to identify this sort of practice depends upon many different factors, including the type of inspection and of the involved facilities, and the local national legal frameworks governing inspections as well as protection of personal data. The specific areas or sites to be included in the official review of activities, documents, facilities, records, etc. have proved also highly variable, as they may include not only the manufacturing site, but also investigator sites of a clinical trial, the sponsor’s and/or contract research organisation’s (CRO’s) facilities, or any other establishments deemed appropriate by the regulatory authority running the inspection.

Should the preliminary risk assessment had discouraged the possibility to conduct a remote inspection, the on-site inspections were usually postponed until the termination of lockdown measures in the interested countries. Hybrid or collaborative inspections represent another opportunity used to handle critical cases: the first ones involve the assessment or inspection to be conducted using a mix of remote and on-site activities, the second see two or more regulatory authorities collaborating to perform a conjunct inspection of a specific site.

According to the Reflection paper, it thus appears highly unlikely that a unique and fully harmonized approach to remote inspections in all scenarios might be developed for the future. “While the ICMRA group have found remote inspections an enabling tool to maintain at least a minimal regulatory oversight during the pandemic, it is not the view of the group that remote inspections would fully replace an on-site inspection programme”, states the document.

The main issues encountered

The possibility to conduct inspections, evaluations or assessments at a distance/virtually is based on the implicit availability of a robust IT and communication infrastructure; this has proved a fundamental requirement to smoothly share and review all the relevant documentation and ensure access from remote to systems and plants. Virtual tours of the manufacturing facilities are a typical example, for which the availability of solid “hardware and software that can provide an appropriate field of vision, clarity and stabilisation of the picture, while simultaneously facilitating conversation between the inspector and tour host” is essential to enable the real-time transmission of images and sounds captured by the in charge on-site staff by mean of smart devices or more advanced systems as smart-glasses.

In international inspections, the difference in time-zone and the availability of real-time, online translation services have also proved critical in many instances, especially if parallel sessions of discussion were needed. The possibility for inspectors to access on-line the relevant documentation requires the availability of the inspected company to provide credentials to enter in a read-only mode its proprietary document management systems and repositories. To this instance, confidentiality issues often led many companies to provide access to IT systems by mean of a specifically appointed member of the staff, in charge of accessing in real-time the systems and made available all the documentation as indicated by the inspectors.

The main areas of attention

The Reflection paper identifies four different areas for which remote assessment/inspection proved to be particularly useful during the pandemic period.

In the case of virtual tours, the indication coming from ICRMA experts is to limit the use of prerecorded video tours only in exceptional circumstances, and never for inspection of high-risk activities, as the inspector may not be in the right conditions to effectively verify all details needed to evaluate the suitability of the facility.

Direct access to documentation by inspectors is an expectation, electronically or otherwise, whether the inspection is on-site or remote”, states the Reflection paper. The alternative intervention of site staff may be acceptable, but it should not negatively impact the results of the assessment. Furthermore, this modality may also prove quite time consuming for both the inspector and the inspected company. ICRMA also supports the possibility for regulators to access documentation after the closure meeting, and upon the formal closure of the inspection, in order to facilitate the drafting of the report or to clarify a deficiency already raised.

GCP and GMP inspections

Specific issues for both GCP and GMP inspections are addressed in two dedicated chapters of ICRMA’s Reflection paper.

It should be noted that within the EU remote inspections at investigator sites are not considered to be feasible”, writes ICRMA. The motivation has to be found mainly in the need to avoid any further impact on the clinical sites during an health emergency like the pandemic, andin the issues posed by local frameworks for data protection. The Reflections paper provides a list of clinical areas not suitable for remote inspection.

As for GMP inspections, not all regulatory authorities adopted the same approach during the pandemic; in general terms, this sort of practice has been judged acceptable by ICRMA to handle emergency situations with restrictions to travels in place, but it cannot fully substitute onsite inspections of manufacturing sites. More specifically, the experience of the past two years shows that remote inspection proved unfeasible for sites requiring detailed observation, as those performing aseptic manufacturing or handling potent active ingredients with low Permitted Daily Exposure.


The new PIC/S guideline on data integrity

, , , , , , , , , , , , , , ,

by Giuliana Miglierini

The long waited new PIC/S guideline PI 041-1 has been finally released on July 1st; the document defines the “Good Practices for Data Management and Data Integrity in regulated GMP/GDP Environments”, and it represents the final evolution of the debate, after the 2nd draft published in August 2016 and the 3rd one of November 2018.
While maintaining the previous structure, comprehensive of 14 chapters for a total of 63 pages, some modifications occurred in the subchapters. The Pharmaceutical Inspection Co-operation Scheme (PIC/S) groups inspectors from more than 50 countries. PIC/S guidelines are specifically aimed to support the inspectors’ work, providing a harmonised approach to GMP/GDP inspections to manufacturing sites for APIs and medicinal products.

Data integrity is a fundamental aspect of inspections
The effectiveness of these inspection processes is determined by the reliability of the evidence provided to the inspector and ultimately the integrity of the underlying data. It is critical to the inspection process that inspectors can determine and fully rely on the accuracy and completeness of evidence and records presented to them”, states the Guideline’s Introduction.
This is even more true after the transformation impressed by the pandemic, resulting in a strong acceleration towards digitalisation of all activities. The huge amount of data produced every day during all aspects of the manufacturing and distribution of pharmaceutical products needs robust data management practices to be in place in order to provide adequate data policy, documentation, quality and security. According to the Guideline, all practices used by a manufacturer “should ensure that data is attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available”. This means also that the same principles outlined by PIC/S may be used also to improve the quality of data used to prepare the registration dossier and to define control strategies and specifications for the API and drug product.
The guidance applies to on-site assessments, which are normally required for data verification and evidence of operational compliance with procedures. In the case of remote (desktop) inspections, as occurred for example during the pandemic period, its impact will be limited to an assessment of data governance systems. PIC/S also highlights that the guideline “is not intended to provide specific guidance for ‘for-cause’ inspections following detection of significant data integrity vulnerabilities where forensic expertise may be required”.

The impact on the entire PQS
PIC/S defines data Integrity as “the degree to which data are complete, consistent, accurate, trustworthy, and reliable and that these characteristics of the data are maintained throughout the data life cycle”.
This means that the principles expressed by the guideline should be considered with respect to the entire Pharmaceutical Quality System (and to the Quality System according to GDPs), both for electronic, paper-based and hybrid systems for data production, and fall under the full responsibility of the manufacturer or the distributor undergoing the inspection.
The new guidance will represent the baseline for inspectors to plan risk-based inspections relative to good data management practices and risk-based control strategies for data, and will help the industry to prepare to meet the expected quality for data integrity, providing guidance on the interpretation of existing GMP/GDP requirements relating to current industry data management practices without imposition of additional regulatory burden. PIC/S highlights that the new guidance is not mandatory or enforceable under the law, thus each manufacturer or distributor is free to voluntarily choose to follow its indications.

Principles for data governance
The establishment of a data governance system, even if not mandatory, according to PIC/S would support the company to coherently define its data integrity risk management activities. All passages typical of the data lifecycle should be considered, including generation, processing, reporting, checking, decision-making, storage and elimination of data at the end of the retention period.
“Data relating to a product or process may cross various boundaries within the lifecycle. This may include data transfer between paper-based and computerised systems, or between different organisational boundaries; both internal (e.g. between production, QC and QA) and external (e.g. between service providers or contract givers and acceptors)”, warns PIC/S.
Chapter 7 specifically discusses the Good document management practices (GdocPs) expected to be applied, that can be summarised by the acronyms ALCOA (Attributable, Legible, Contemporaneous, Original, Accurate) and ALCOA+ (the previous plus Complete, Consistent, Enduring and Available).
Data governance systems should take into consideration data ownership and the design, operation and monitoring of processes and systems. Controls should include both operational (e.g. procedures, training, routine, periodic surveillance, etc) and technical features (e,g, computerised system validation, qualification and control, automation or other technologies to provide control of data). The entire organisation should commit to the adoption of the new data culture, under a top-down approach starting from the Senior management and with evidence provided of communication of expectations to personnel at all levels. Sections 6 of the guideline provides some examples in this direction. The ICH Q9 principles on quality risk management should be used to guide the implementation of data governance systems and risk minimisation activities, under the responsibility of the Senior management. Efforts in this direction should always be commensurate with the risk to product quality, and balanced with other quality resource demands. In particular, the risk evaluation should consider the criticality of data and their associated risk; the guideline provides an outline of how to approach the evaluation of both these factors (paragraphs 5.4 and 5.5). Indication is also provided on how to assess the effectiveness of data integrity control measures (par. 5.6) during internal audit or other periodic review processes.
Chapter 8 addresses the specific issues to be considered with respect to data integrity for paperbased systems, while those related to computerised systems are discussed in Chapter 9. As many activities typical of the pharmaceutical lifecycle are normally outsourced to contract development & manufacturing organisations (i.e. API manufacturing, formulation, analytical controls, distribution, etc.), PIC/S also considered in the guideline the aspects impacting on the data integrity of the overall supply chain (Chapt. 10). “Initial and periodic re-qualification of supply chain partners and outsourced activities should include consideration of data integrity risks and appropriate control measures”, says the guideline.

The regulatory impact of data integrity
Recent years have seen the issuance of many deficiency letters due to problems with data integrity,. Approx. half (42, 49%) of the total 85 GMP warning letters issued by the FDA in 2018, for example, included a data integrity component.
The new PIC/S guideline provides a detailed cross-reference table linking requirements for data integrity to those referring to the other guidelines on GMPs/GDPs for medicinal products (Chapter 11). Guidance on the classification of deficiencies is also included in the document, in order to support consistency in reporting and classification of data integrity deficiencies. PIC/S notes that this part of the guidance “is not intended to affect the inspecting authority’s ability to act according to its internal policies or national regulatory frameworks”.
Deficiencies may refer to a significant risk for human or animal health, may be the result of fraud, misrepresentation or falsification of products or data, or of a bad practice, or may represent an opportunity for failure (without evidence of actual failure) due to absence of the required data control measures. They are classified according to their impact, as critical, major and other deficiencies.
Chapter 12 provides insight on how to plan for the remediation of data integrity failures, starting from the attention required to solve immediate issues and their associated risks. The guideline lists the elements to be included in the comprehensive investigation to be put in place by the manufacturer, as well as the corrective and preventive actions (CAPA) taken to address the data integrity vulnerabilities. A Glossary is also provided at the end of the guideline.