inspections Archives - European Industrial Pharmacists Group (EIPG)

Home  /  Current inspection trends and new approaches to the monitoring of post-inspection activities  /  inspections

A new member within EIPG


The European Industrial Pharmacists Group (EIPG) is pleased to announce the Romanian Association (AFFI) as its newest member following the annual General Assembly of EIPG in Rome (20th-21st April 2024). Commenting on the continued growth of EIPG’s membership, EIPG President Read more

The EU Parliament voted its position on the Unitary SPC


by Giuliana Miglierini The intersecting pathways of revision of the pharmaceutical and intellectual property legislations recently marked the adoption of the EU Parliament’s position on the new unitary Supplementary Protection Certificate (SPC) system, parallel to the recast of the current Read more

Reform of pharma legislation: the debate on regulatory data protection


by Giuliana Miglierini As the definition of the final contents of many new pieces of the overall revision of the pharmaceutical legislation is approaching, many voices commented the possible impact the new scheme for regulatory data protection (RDP) may have Read more

Current inspection trends and new approaches to the monitoring of post-inspection activities

July 8, 2022 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

The European Federation of Pharmaceutical Industries and Associations (EFPIA) has published its Annual Regulatory GMP/GDP Inspection Survey 2021, highlighting the more recent trends in inspections and how the pandemic affected this critical verification process of pharmaceutical productions. Meanwhile, UK’s regulatory authority MHRA launched the Compliance Monitor Process pilot, aimed to use eligible consultants as Compliance Monitors to supervise companies in the delivery of actions identified in the Compliance Protocol agreed with the regulatory authority.

Main trends in inspections

The main effect of the lockdowns has been the implementation of new ways to run inspections. The recommendation resulting from EFPIA’s report is now for virtual tools combined with onsite presence; to this instance, data gathered in 2021 show that the two modalities of inspection have a similar duration (2.9 days for on-site inspections vs 2.8 days for virtual ones). The report also indicates there is still a backlog of inspections due in 2020, the critical period of the pandemic; suggestions to manage expiring GMP/GDP/ISO-certificates include a one-year prolongation of current certificates, a dedicated communication process between the industry and regulators in the case of issues with the registration in third countries, and a planning of inspections based on the quality history of the site.

Domestic inspections confirming the trend observed since 2016, are almost double of the number of foreign inspections. These last ones focused in 2021 on only 23 countries, compared to the 44 countries visited by inspectors in 2017. EU’s countries were the most visited ones, with some 350 inspections reported vs the 150 of US, confirming the importance of European pharmaceutical manufacturing. According to the report, 2021 saw an increased attention to GDP inspections, while the percentage of sites with no inspections remains stable for six years.

A new mix of inspection tools

The use of new tools, additional to physical on-site presence, has now become a routine possibility accepted by many regulatory authorities. Many different approaches have been tested during the pandemic, including different inspections tools. Different combinations of tools cannot be considered to be equivalent, according to EFPIA. In general, a mixture of physical presence, document review and virtual presence flanked by the sharing of experience, collaboration and reliance is deemed suitable to confirm compliance and capability while supporting a risk-based efficiency.

Data show that the number of virtual inspections was higher in 2020 compared to 2021; the last year saw an increase of on-site presence vs 2020 and a mixture of virtual and on-site inspections. According to the report, only seven European countries have experience with the implementation of virtual inspection tools (Germany, Denmark, Finland, Ireland, Italy, Poland and Sweden). As a consequence, the impact of mixed virtual and on-site domestic inspections in 2021 was lower in EU member states that, for example, in the US, Brazil, Russia and Singapore.

There is still space for improvement

EFPIA’s survey presents the respective advantages and disadvantages of on-site inspections vs virtual tools. The implementation of the new modalities is far from being accomplished, the process is still on the learning curve, says the document.

While the remote, virtual interaction allows for a greater flexibility of the inspection process, it may result stressful for some people; furthermore, it impacts on the way work is organised, as it needs a flexible schedule and time to prepare for the next day meetings. Also, the style of communication changes to become less natural and more focused. Overall, virtual inspections appear to be more efficient when performed in real-time, as it would be for on-site inspections. While being less costly, due to avoiding extensive travelling, virtual inspections require a careful preparation, including the availability of a suitable IT infrastructure and connectivity. Documents are also often required in advance of the meetings to be shared with regulators.

How to further improve inspections

According to EFPIA, the future of inspections calls for improved collaboration and reliance in order to increase the knowledge shared by the different inspectorates and overcome the limits intrinsic to self-dependency. The expected final outcome of the new approach to inspections is an improvement in the decision-making process. Inspection frequency may be set every 1 to 5 years on the basis of a risk-based evaluation.

Collaboration, reliance and delegation appear to be the new mantras to guide the actions of regulators: the focus suggested by EFPIA is on inspections run by domestic authorities, coupled to the implementation of Mutual Recognition Agreements (MRA) to avoid duplication of efforts. According to the report, it would be needed to harmonise the scope of existing MRAs and to establish new ones between the EU and PIC/S participating authorities (e.g. Argentina, Brazil, South Korea, Turkey and UK). The European legislation should be also updated to include the concept of listed third countries, as already in place for the importation of active substances under the provisions of the Falsified Medicines directive.

The report also suggests a qualitative tool that would fulfil the legal requirements for “inspections” and may prove useful to support inspection planning on the basis of the knowledge of the GMP compliance history of the site, the footprint history of critical and major deficiencies and the type of inspection to be run. These elements lead to the identification of the hazards to be considered, including the intrinsic risk and the compliance-related one. The final output of the tool takes the form of a risk-ranking quality metric, to be used to establish the frequency of inspection for a certain site and the number and level of expertise of the required inspectors, as well as the scope, depth and duration of routine inspections.

All these items may form the basis for the drafting of a GMP inspection “Reliance Assessment Report”, which would also include the statement about the name of the hosting national competent authority and the basis on which country reliance has been established. Such a document may be then used to support regulatory decisions. According to EFPIA, the suggested approach would benefit of a better knowledge of the site inspected by the local NCA, a better insight in the local culture and less barriers to the interaction, with optimisation of resources. A better transparency of the inspection process is also expected, as a non-compliant site may negatively impact on the reputation of local inspectorates. Identified pre-requisites to allow the implementation of such an approach are the availability of high-quality standards at the local level and the evaluation of national regulatory systems by and independent body (e.g. PIC/S or the WHO Global Benchmarking Tool).

UK’s pilot of a Compliance Monitor Process

A new approach that may represent a first example towards the new paradigm of collaboration and reliance has been undertaken in the UK, where the Medicines and Healthcare products Regulatory Agency (MHRA) launched in April 2022 a pilot project focused on the Compliance Monitor (CM) Process (see more here and here). The pilot is part of MHRA’s delivery plan 2021-2023 and will focus on the CM supervision process for appropriate GMP and GDP Inspection Action Group (IAG) cases.

According to the MHRA, the new process would allow companies to concentrate on the delivery of the required improvements without the need to use resources to manage MHRA supervision inspections to assess compliance remediation activities. On the regulatory side, the MHRA should be able to concentrate on the delivery of the routine risk-based inspection programme. The risk-based approach to supervision and monitoring is also expected to limit the number of potential shortages of supply.

The CM process is based on the figure of eligible consultants acting as Compliance Monitors (CM) in charge of working with the company to deliver the remediation actions identified in a Compliance Protocol (CP) agreed with the MHRA. The supervision by the CMs is expected to contribute to lower the need of on-site inspections with respect to the current process managed by the IAG. The CP also includes the transmission to MHRA of high-level updates at fixed intervals of time, which should include only exceptions to the agreed timelines or significant related compliance issues which were identified. Once completed the CP protocol, the CM informs the regulatory authority that the company is ready for inspection, so that the MHRA can verify onsite the possibility of its removal from IAG oversight.

CMs will be selected by the involved company from a dedicated register and accepted as suitable for that case by the MHRA. At least five years’ experience in independent audits of GMP/ GDP companies is needed to be eligible as CM. Furthermore, not having been personally the subject of MHRA regulatory action and/or significant adverse findings in the previous three years,  a suitable CV and the completion of a MHRA training as CM. All details on requirements for the CM role and application are available at the dedicated page of the MHRA website.

Suitability criteria to act as a CM for the specific case include as a minimum a sufficient experience of the dosage form manufactured, testing activities being performed, or distribution activity being carried out and a written confirmation of absence of Conflict of Interest. These criteria will be assessed by the company selecting the CM.

BIA’s view of the reliance in the UK medicines regulatory framework

The UK’s BioIndustry Association (BIA) contributed to the debate on the reliance in the UK medicines regulatory framework with a Reflection Paper. According to BIA, the MHRA has a well recognised status and history as a valued contributor to the global regulatory ecosystem and a point of reference for the regulatory decision-making which should be preserved also in the future.

BIA recalls the role played by the MHRA in the development of the concept of regulatory reliance at the EU level, as a way to support the agile management of resources and simultaneously focusing on core and innovative national activities across all stages in the product lifecycle. The central concept sees regulators from one country to rely on the decision and assessments of trusted authorities from another country in order to speed up the timeline of regulatory procedures. At the end of the process, each regulator remains fully responsible and accountable for all its decisions.

BIA also highlights the contribution of reliance to the advancement of good regulatory practices and international networks of regulators, so to better allocate resources potentially taking into account also the respective fields of specialisation. The proposal is for a list of accepted reference regulatory authorities as a way to recognise the evolution of partnerships over time. Examples of recognition pathways already active in the UK are the EC Decision Reliance Procedure (ECDRP) and international work-sharing through the Access Consortium and Project Orbis, through which the MHRA may act as the reference regulatory agency in many procedures.

BIA also warns about the risks of a sudden interruption at the end of 2022 of the reliance pathway, that would have a highly disruptive impact on companies and patients.


EMA’s consultation on draft Q&As on remote certification of batches by QP

June 3, 2022 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

The last two years saw the implementation of a high degree of regulatory flexibility as a mean to respond to the many challenges posed by the travel bans consequent to the pandemic. After this “experimental” phase, regulatory authorities are now considering the possibility to allow the routine implementation of some remote procedures in the field of pharmaceutical production.

It is the case of the remote certification/confirmation of batches by the Qualified Person (QP): after the publication of a draft guideline in the form of Q&As (EMA/INS/169000/2022), the European Medicines Agency (EMA) has launched a short public consultation which will remain open up to 13 June 2022. Comments may be sent by email.

The guideline offers EMA’s point of view on the requirements for the physical attendance at the authorised manufacturing site applying to QPs in order to routinely run the remote certification of batches, outside emergency situations. The document has been drafted by the GMDP Inspectors Working Group; it is composed of four questions and their relative answers and it addresses some considerations arising from the experience gained on the application of the guidelines for human and veterinary medicines issued during the pandemic. These last ones were elaborated in cooperation between the European Commission, the Coordination group for Mutual recognition and Decentralised procedures – human (“CMDh”), the Inspectors Working Group, the Coordination group for Mutual recognition and Decentralised procedures – veterinary (“CMDv”) and EMA.

The Agency also warns that the contents proposed by new Q&As’ guideline may be subject to any other interpretation by the European Court of Justice, which is the ultimate responsible for the interpretation of the EU legislation.

The contents of the Q&As

The routine remote certification or confirmation of batches may in future apply to the activities carried out by the QPs within the EU and European Economic Area (EEA), with reference to manufactured or imported human and veterinary medicinal products and investigational medicinal products.

The first answer clarifies that it could be possible for the QP to routinely run remote batch certification or confirmation only if this type of practice is accepted by the relevant national competent authority (NCA) of the member state where the authorised site is located. To this instance, it should be noted that some NCAs may request some specific requirements to authorise the routine remote certification procedure, for example with reference to the location of the QPs.

Should the remote certification be allowed on a routine basis, specific requirements should be met in order to validate this practice, starting from its full compliance to the EU legislation and EU GMP guidelines.

The answer to question 2 specifies that all activities should take place in an EU/EEA country, and that the time spent by the QP at the authorised site should be commensurate with the risks related to the processes” hereby taking place. To this instance, it is of paramount importance the ability to demonstrate that the QP acting from remote has maintained full knowledge of the products, manufacturing processes and pharmaceutical quality system (PQS) involved in the remote certification/confirmation of batches. That also means that the QP should be highly reliant on the PQS of the authorised site, and this would be only possible by spending an adequate time on-site to verify the adequacy of the PQS with respect to the processes of interest. The pharmaceutical quality system should also include details of all the procedures used for the routine remote certification/confirmation of batches. The possible use of this type of remote procedure by the QP should be also clearly mentioned in the technical agreement governing the relationship between the authorisation holder and the QP, which should also specify all cases requiring the presence on-site of the QP. A robust IT infrastructure should be in place to guarantee the remote access of the QP to all the relevant documentation in the electronic format needed to achieve bath certification/confirmation, according to the provisions described in Annex 16 to the GMPs (Certification by a Qualified Person and Batch Release). To this instance, presence on-site should be always considered to solve issues that cannot properly be addressed from remote. The demonstration of the presence on-site of the QP falls under the responsibility of the Manufacturing/Importers Authorisation (MIA) holders.

These are also responsible to make available to the QPs all the hardware and software needed to guarantee the remote access to the relevant documentation (e.g. manufacturing executions systems, electronic batch records system, laboratory information systems etc.) as well as batch registers. All IT systems used for remote batch release should comply with the requirements of Annex 11 to the GMP (Computerised Systems).

On the same basis, it should be possible for NCAs to contemporaneously access for inspection all documentation and batch registers involved in routine remote certification/confirmation at the authorised site of batch release. MIA holders should also guarantee the QP is the only allowed person to access the batch certification/confirmation function and batch register, that the transferred data are complete and unchanged, and that an adequate system for electronic signatures is in place.

Question 3 simply clarifies that some members states may have some specific requirements about the country of residence of the QP, for example it should be the same where the authorised site involved in the remote certification procedure is located.

The last question discusses technical requirements linked to IT-security and data integrity for remote access, a type of procedure presenting a higher intrinsic risk in comparison to the same activities carried on-site. Here again, the main reference is Annex 11; all equipment and software used for remote certification of batches should always reflect the current technological developments.

Among the suggestions made by the Q&A draft guideline is the precise identification of all hardware transferred off-site to the QP, that should be inventoried and kept updated. Hard disks should be encrypted, and ports not required, disabled.

Attention should also be paid to the configuration of any virtual private network (VPN) used by the QP to improve the security of the connection to the IT infrastructure of the authorised site and to prevent unauthorised accesses. Authentication should be based on recognised industry standards (e.g. two-factor or multifactor authentication, with automatic date of expiry). The transfer of data should be secured by strong transport encryption protocols; assignment of individual privileges and technical controls falls under the responsibility of the MIA holder


The European Medicines Regulatory Network Data Standardisation Strategy

January 28, 2022 , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

The availability of interoperable data is a “must” to ensure the smooth sharing, use and re-use of data along the entire regulatory process. A new document – the European Medicines Regulatory Network Data Standardisation Strategy – has been issued by the European Medicines Agency (EMA) and the Heads of Medicines Agencies (HMA) to provide guidance to all authorities members of the European Medicines Regulatory Network (EMRN) on how to approach issues related to the definition, adoption and implementation of international data standards.

As data contains the higher informative value, regulatory procedures are undergoing a phase of deep rethinking in order to pay greater attention to the underlying data, leaving behind the traditional assessment of regulatory documents prepared using those data. Furthermore, the secondary use of data may support optimised regulatory decision-making processes.

The EMRN Data Standardisation Strategy – one of the main deliverables of the HMA-EMA Joint Big Data Steering Group (BDSG) workplan – builds upon the EU Data Strategy and the goals of the EMRN Strategy 2025. The FAIR principles (Findable, Accessible, Interoperable and Reusable) have been identified to govern the acquisition, conservation and use of data.

A more standardised approach to be adopted by the EMRN shall make possible to reduce the current manual and technical workload needed to manage regulatory documents and data, which are often submitted using a variety of different formats. According to the Strategy, a review of the mechanisms of data governance is also needed to include the responsibilities for oversight of data standardisation work and for the periodic updating of the EMRN data strategy. Further assessment of the expected costs and benefits is needed to make available the final roadmap for the implementation and prioritisation of measures suggested by the Data Standardisation Strategy.

Adopt, adapt, develop

The document was drafted on the basis of initial internal consultations on current practices for the management of scientific data; the inventory of the current IT systems in use by members of the EMRN was also created. In a second phase, a public survey was conducted among all stakeholders; current and new standards under development were identified by analysis of a selection of Standards Development Organisations (SDOs) active in the healthcare sector.

The exercise led to the identification of three different categories of actions, respectively referred to the adoption by the EMRN of currently available standards, the adaptation of available standards to include additional requirements, and the development of entirely new standards.

A total of eight principles have been identified to guide the standardisation of data to be used for regulatory purposes. First of all, high-quality data standards developed by accredited SDOs should always be adopted, on the basis of voluntary and consensus-based processes. EMA-HMA’s suggestion is to use such standards in place of (unique) local or proprietary standards, unless not compatible with the EU legislation or otherwise impractical. This would also support the creation of the European Health Data Space (part of the EU digital strategy) and facilitate the sharing and re-use of data and the governance of data privacy according to the draft EU Data Governance Act. The principles of data protection and data ethics by design are another fundamental requirement, as well as the collaboration with stakeholders in order to be informed about their needs. An alignment and consolidation of requirements from other regulations and guidelines is also envisaged; assessment of requirements for both human and veterinary regulatory practices should be run in order to avoid duplication of efforts or creation of competing standards.

Four domains for the management of data

The EMRN Data Standardisation Strategy identifies four different domains for the adoption of common standards: Medicinal Product, Healthcare & study data, Safety & risk management and Submissions. Recommendations for each of the four domains are discussed in the document.

The Medicinal Product domain includes product information, substance information, manufacturing and quality information.

Standards such as the ISO IDMP (IDentification of Medicinal Products) – based on the HL7 FHIR (Fast Healthcare Interoperability Resources) standard – are already in place, for example, to feed EMA’s SPOR system, but additional FHIR resources would be needed to structure key product information in already existing projects. To this regard, the Strategy suggests to implement and adapt ISO IDMP specified substance group levels 2 and 4 by the associated HL7 FHIR message exchange format, so to capture active substances and excipients in a structured format. This approach would also better support inspections (together with the availability of a standardised template for all inspections data), traceability of the origin of all substances used to manufacture a certain medicinal product, and the adoption of risk-based tracking procedures to assess the interactions between product quality and inspections of manufacturing sites.

The Healthcare and study data domain refers to data acquired during clinical development (i.e. data from interventional and/or observational studies) and the development of a common data model (CDM) for individual patient data and mobile health (mHealth) devices.

Many projects are already active, e.g. the ICH M11: Clinical electronic Structured Harmonised Protocol (CeSHarP), an initiative that would need further tuning to include some additional requirements. The possible use of raw data from interventional studies is also under assessment (e.g. CDISC SDTM – Study Data Tabulation Model, and ADaM-Analysis Data Model).

A new CDM standard would also be needed to exploit the full and harmonised potential of real-world data (RWD) and metadata obtained from healthcare records and disease registries. To this instance, a particular attention should be paid to mHealth applications installed on personal smart-devices, a fast-growing segment giving rise to the availability to big quantities of data.

The Safety and risk management domain refers to pharmacovigilance activities and includes Individual case safety reports (ICSR), Product safety update reports (PSUR), and environmental risk assessment (ERA) and risk management plans (RMP).

ICSR might be optimised by adoption of the HL7 FHIR based messaging standard and the inclusion of -omics data (genomics, proteomics and metabolomics) of patients. According to the Strategy, a new structured, electronic format for PSURs built upon the ICH E2C (R2) periodic benefit- risk evaluation report guidelines would be also beneficial for the work of regulatory authorities. The CDISC SDTM8 standard for data collection of risk assessment data represents a possible option to better handle data referred to environmental risk assessments. A structured, electronic risk management plan (eRMP) format should be also created to overcome the current paper template format; the new standard may find inspiration in the ICH E2E Pharmacovigilance Planning guideline and the EU Guideline on good pharmacovigilance practices (GVP) Module V – Risk management systems.

The Submissions domain includes the dossier management and the structured application form. Version 4.0 of the electronic Common Technical Document (eCTD v4.0) is more flexible compared to the previous one; for example, it supports the re-use of Pdf documents across sequences and eCTD dossiers and the submission of other data formats within the dossiers. The wider use of structured data will make the use of Pdf files less common, in favour of electronic Application Forms (eAF) based on data exchange standards such as HL7 FHIR to manage regulatory application along the entire life cycle of a medicine.


ICMRA published a Reflection paper on remote inspections

January 21, 2022 , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

Remote inspections have become a widely used approach since the last two years to ensure the oversight of the compliance of pharmaceutical productions to regulatory requirements, as the prolonged lockdown periods determined by the pandemic made very difficult the maintenance of the regular schedule for on-site inspections.

A Reflection paper on the so gathered experience has been recently published by the International Coalition of Medicines Regulatory Authorities (ICMRA); the document addresses from the point of view of regulatory authorities the many issues encountered to establish appropriate modalities to interact at distance with the industrial counterparts by mean of digital technologies and suggests the best practices for the future. The analysis focused especially on remote GCP and GMP inspections.

The Reflection paper was drafted by a working group chaired by the UK MHRA and inclusive of representatives from the US FDA, EMA, Health Canada, Swiss-medic, HPRA Ireland, AEMPS Spain, ANSM France, PEI Germany, MHLW/PMDA Japan, TGA Australia, ANVISA Brazil, HSA Singapore, WHO and Saudi FDA.

The lack of a uniform definitions and approaches

Each national competent authority adopted during the pandemic its own approach to remote inspections, evaluating this type of opportunity on a case-by-case basis, making use of established quality risk management principles and tools to reach their decision (par. 3 of the Reflection paper enlists the more widely used parameters for risk assessment and management).Among the factors entering this preliminary evaluation are the regulatory compliance history of the inspectee, the scope of the inspection (pre-approval, routine or for cause), and the inherent risk associated with the activities conducted by the site, the types of products and the need for the product.

The term used to identify the at distance interaction with the company to be inspected also assumed a quite wide variability; “distant assessment”, “remote evaluation”, “desktop assessment” or “remote assessment” are other frequent declinations used to define oversight procedures run by using digital technologies, both at the national and international level.

The choice of the specific term to identify this sort of practice depends upon many different factors, including the type of inspection and of the involved facilities, and the local national legal frameworks governing inspections as well as protection of personal data. The specific areas or sites to be included in the official review of activities, documents, facilities, records, etc. have proved also highly variable, as they may include not only the manufacturing site, but also investigator sites of a clinical trial, the sponsor’s and/or contract research organisation’s (CRO’s) facilities, or any other establishments deemed appropriate by the regulatory authority running the inspection.

Should the preliminary risk assessment had discouraged the possibility to conduct a remote inspection, the on-site inspections were usually postponed until the termination of lockdown measures in the interested countries. Hybrid or collaborative inspections represent another opportunity used to handle critical cases: the first ones involve the assessment or inspection to be conducted using a mix of remote and on-site activities, the second see two or more regulatory authorities collaborating to perform a conjunct inspection of a specific site.

According to the Reflection paper, it thus appears highly unlikely that a unique and fully harmonized approach to remote inspections in all scenarios might be developed for the future. “While the ICMRA group have found remote inspections an enabling tool to maintain at least a minimal regulatory oversight during the pandemic, it is not the view of the group that remote inspections would fully replace an on-site inspection programme”, states the document.

The main issues encountered

The possibility to conduct inspections, evaluations or assessments at a distance/virtually is based on the implicit availability of a robust IT and communication infrastructure; this has proved a fundamental requirement to smoothly share and review all the relevant documentation and ensure access from remote to systems and plants. Virtual tours of the manufacturing facilities are a typical example, for which the availability of solid “hardware and software that can provide an appropriate field of vision, clarity and stabilisation of the picture, while simultaneously facilitating conversation between the inspector and tour host” is essential to enable the real-time transmission of images and sounds captured by the in charge on-site staff by mean of smart devices or more advanced systems as smart-glasses.

In international inspections, the difference in time-zone and the availability of real-time, online translation services have also proved critical in many instances, especially if parallel sessions of discussion were needed. The possibility for inspectors to access on-line the relevant documentation requires the availability of the inspected company to provide credentials to enter in a read-only mode its proprietary document management systems and repositories. To this instance, confidentiality issues often led many companies to provide access to IT systems by mean of a specifically appointed member of the staff, in charge of accessing in real-time the systems and made available all the documentation as indicated by the inspectors.

The main areas of attention

The Reflection paper identifies four different areas for which remote assessment/inspection proved to be particularly useful during the pandemic period.

In the case of virtual tours, the indication coming from ICRMA experts is to limit the use of prerecorded video tours only in exceptional circumstances, and never for inspection of high-risk activities, as the inspector may not be in the right conditions to effectively verify all details needed to evaluate the suitability of the facility.

Direct access to documentation by inspectors is an expectation, electronically or otherwise, whether the inspection is on-site or remote”, states the Reflection paper. The alternative intervention of site staff may be acceptable, but it should not negatively impact the results of the assessment. Furthermore, this modality may also prove quite time consuming for both the inspector and the inspected company. ICRMA also supports the possibility for regulators to access documentation after the closure meeting, and upon the formal closure of the inspection, in order to facilitate the drafting of the report or to clarify a deficiency already raised.

GCP and GMP inspections

Specific issues for both GCP and GMP inspections are addressed in two dedicated chapters of ICRMA’s Reflection paper.

It should be noted that within the EU remote inspections at investigator sites are not considered to be feasible”, writes ICRMA. The motivation has to be found mainly in the need to avoid any further impact on the clinical sites during an health emergency like the pandemic, andin the issues posed by local frameworks for data protection. The Reflections paper provides a list of clinical areas not suitable for remote inspection.

As for GMP inspections, not all regulatory authorities adopted the same approach during the pandemic; in general terms, this sort of practice has been judged acceptable by ICRMA to handle emergency situations with restrictions to travels in place, but it cannot fully substitute onsite inspections of manufacturing sites. More specifically, the experience of the past two years shows that remote inspection proved unfeasible for sites requiring detailed observation, as those performing aseptic manufacturing or handling potent active ingredients with low Permitted Daily Exposure.


The new PIC/S guideline on data integrity

July 30, 2021 , , , , , , , , , , , , , , ,

by Giuliana Miglierini

The long waited new PIC/S guideline PI 041-1 has been finally released on July 1st; the document defines the “Good Practices for Data Management and Data Integrity in regulated GMP/GDP Environments”, and it represents the final evolution of the debate, after the 2nd draft published in August 2016 and the 3rd one of November 2018.
While maintaining the previous structure, comprehensive of 14 chapters for a total of 63 pages, some modifications occurred in the subchapters. The Pharmaceutical Inspection Co-operation Scheme (PIC/S) groups inspectors from more than 50 countries. PIC/S guidelines are specifically aimed to support the inspectors’ work, providing a harmonised approach to GMP/GDP inspections to manufacturing sites for APIs and medicinal products.

Data integrity is a fundamental aspect of inspections
The effectiveness of these inspection processes is determined by the reliability of the evidence provided to the inspector and ultimately the integrity of the underlying data. It is critical to the inspection process that inspectors can determine and fully rely on the accuracy and completeness of evidence and records presented to them”, states the Guideline’s Introduction.
This is even more true after the transformation impressed by the pandemic, resulting in a strong acceleration towards digitalisation of all activities. The huge amount of data produced every day during all aspects of the manufacturing and distribution of pharmaceutical products needs robust data management practices to be in place in order to provide adequate data policy, documentation, quality and security. According to the Guideline, all practices used by a manufacturer “should ensure that data is attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available”. This means also that the same principles outlined by PIC/S may be used also to improve the quality of data used to prepare the registration dossier and to define control strategies and specifications for the API and drug product.
The guidance applies to on-site assessments, which are normally required for data verification and evidence of operational compliance with procedures. In the case of remote (desktop) inspections, as occurred for example during the pandemic period, its impact will be limited to an assessment of data governance systems. PIC/S also highlights that the guideline “is not intended to provide specific guidance for ‘for-cause’ inspections following detection of significant data integrity vulnerabilities where forensic expertise may be required”.

The impact on the entire PQS
PIC/S defines data Integrity as “the degree to which data are complete, consistent, accurate, trustworthy, and reliable and that these characteristics of the data are maintained throughout the data life cycle”.
This means that the principles expressed by the guideline should be considered with respect to the entire Pharmaceutical Quality System (and to the Quality System according to GDPs), both for electronic, paper-based and hybrid systems for data production, and fall under the full responsibility of the manufacturer or the distributor undergoing the inspection.
The new guidance will represent the baseline for inspectors to plan risk-based inspections relative to good data management practices and risk-based control strategies for data, and will help the industry to prepare to meet the expected quality for data integrity, providing guidance on the interpretation of existing GMP/GDP requirements relating to current industry data management practices without imposition of additional regulatory burden. PIC/S highlights that the new guidance is not mandatory or enforceable under the law, thus each manufacturer or distributor is free to voluntarily choose to follow its indications.

Principles for data governance
The establishment of a data governance system, even if not mandatory, according to PIC/S would support the company to coherently define its data integrity risk management activities. All passages typical of the data lifecycle should be considered, including generation, processing, reporting, checking, decision-making, storage and elimination of data at the end of the retention period.
“Data relating to a product or process may cross various boundaries within the lifecycle. This may include data transfer between paper-based and computerised systems, or between different organisational boundaries; both internal (e.g. between production, QC and QA) and external (e.g. between service providers or contract givers and acceptors)”, warns PIC/S.
Chapter 7 specifically discusses the Good document management practices (GdocPs) expected to be applied, that can be summarised by the acronyms ALCOA (Attributable, Legible, Contemporaneous, Original, Accurate) and ALCOA+ (the previous plus Complete, Consistent, Enduring and Available).
Data governance systems should take into consideration data ownership and the design, operation and monitoring of processes and systems. Controls should include both operational (e.g. procedures, training, routine, periodic surveillance, etc) and technical features (e,g, computerised system validation, qualification and control, automation or other technologies to provide control of data). The entire organisation should commit to the adoption of the new data culture, under a top-down approach starting from the Senior management and with evidence provided of communication of expectations to personnel at all levels. Sections 6 of the guideline provides some examples in this direction. The ICH Q9 principles on quality risk management should be used to guide the implementation of data governance systems and risk minimisation activities, under the responsibility of the Senior management. Efforts in this direction should always be commensurate with the risk to product quality, and balanced with other quality resource demands. In particular, the risk evaluation should consider the criticality of data and their associated risk; the guideline provides an outline of how to approach the evaluation of both these factors (paragraphs 5.4 and 5.5). Indication is also provided on how to assess the effectiveness of data integrity control measures (par. 5.6) during internal audit or other periodic review processes.
Chapter 8 addresses the specific issues to be considered with respect to data integrity for paperbased systems, while those related to computerised systems are discussed in Chapter 9. As many activities typical of the pharmaceutical lifecycle are normally outsourced to contract development & manufacturing organisations (i.e. API manufacturing, formulation, analytical controls, distribution, etc.), PIC/S also considered in the guideline the aspects impacting on the data integrity of the overall supply chain (Chapt. 10). “Initial and periodic re-qualification of supply chain partners and outsourced activities should include consideration of data integrity risks and appropriate control measures”, says the guideline.

The regulatory impact of data integrity
Recent years have seen the issuance of many deficiency letters due to problems with data integrity,. Approx. half (42, 49%) of the total 85 GMP warning letters issued by the FDA in 2018, for example, included a data integrity component.
The new PIC/S guideline provides a detailed cross-reference table linking requirements for data integrity to those referring to the other guidelines on GMPs/GDPs for medicinal products (Chapter 11). Guidance on the classification of deficiencies is also included in the document, in order to support consistency in reporting and classification of data integrity deficiencies. PIC/S notes that this part of the guidance “is not intended to affect the inspecting authority’s ability to act according to its internal policies or national regulatory frameworks”.
Deficiencies may refer to a significant risk for human or animal health, may be the result of fraud, misrepresentation or falsification of products or data, or of a bad practice, or may represent an opportunity for failure (without evidence of actual failure) due to absence of the required data control measures. They are classified according to their impact, as critical, major and other deficiencies.
Chapter 12 provides insight on how to plan for the remediation of data integrity failures, starting from the attention required to solve immediate issues and their associated risks. The guideline lists the elements to be included in the comprehensive investigation to be put in place by the manufacturer, as well as the corrective and preventive actions (CAPA) taken to address the data integrity vulnerabilities. A Glossary is also provided at the end of the guideline.