PQS Archives - European Industrial Pharmacists Group (EIPG)

Approval of the Data Governance Act, and EMA’s consultation on the protection of personal data in the CTIS


by Giuliana Miglierini The Data Governance Act (DGA) was approved and adopted in May 2022 by the European Council, following the positive position of the EU Parliament; the new legislation will entry into force after being signed by the presidents Read more

The transition towards EMA's new Digital Application Dataset Integration (DADI) user interface


by Giuliana Miglierini The Digital Application Dataset Integration (DADI) network project is aimed to replace the current PDF-based electronic applications forms (eAFs) used for regulatory submissions with new web-forms accessible through the DADI user interface. The European Medicines Agency (EMA) has Read more

IVD regulation in force: new MDCG guidelines and criticalities for innovation in diagnostics


by Giuliana Miglierini The new regulation on in vitro diagnostic medical devices (IVDR, Regulation (EU) 2017/746) entered into force on 26 May 2022. The new rules define a completely renewed framework for the development, validation and use of these important Read more

EMA’s consultation on draft Q&As on remote certification of batches by QP

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

The last two years saw the implementation of a high degree of regulatory flexibility as a mean to respond to the many challenges posed by the travel bans consequent to the pandemic. After this “experimental” phase, regulatory authorities are now considering the possibility to allow the routine implementation of some remote procedures in the field of pharmaceutical production.

It is the case of the remote certification/confirmation of batches by the Qualified Person (QP): after the publication of a draft guideline in the form of Q&As (EMA/INS/169000/2022), the European Medicines Agency (EMA) has launched a short public consultation which will remain open up to 13 June 2022. Comments may be sent by email.

The guideline offers EMA’s point of view on the requirements for the physical attendance at the authorised manufacturing site applying to QPs in order to routinely run the remote certification of batches, outside emergency situations. The document has been drafted by the GMDP Inspectors Working Group; it is composed of four questions and their relative answers and it addresses some considerations arising from the experience gained on the application of the guidelines for human and veterinary medicines issued during the pandemic. These last ones were elaborated in cooperation between the European Commission, the Coordination group for Mutual recognition and Decentralised procedures – human (“CMDh”), the Inspectors Working Group, the Coordination group for Mutual recognition and Decentralised procedures – veterinary (“CMDv”) and EMA.

The Agency also warns that the contents proposed by new Q&As’ guideline may be subject to any other interpretation by the European Court of Justice, which is the ultimate responsible for the interpretation of the EU legislation.

The contents of the Q&As

The routine remote certification or confirmation of batches may in future apply to the activities carried out by the QPs within the EU and European Economic Area (EEA), with reference to manufactured or imported human and veterinary medicinal products and investigational medicinal products.

The first answer clarifies that it could be possible for the QP to routinely run remote batch certification or confirmation only if this type of practice is accepted by the relevant national competent authority (NCA) of the member state where the authorised site is located. To this instance, it should be noted that some NCAs may request some specific requirements to authorise the routine remote certification procedure, for example with reference to the location of the QPs.

Should the remote certification be allowed on a routine basis, specific requirements should be met in order to validate this practice, starting from its full compliance to the EU legislation and EU GMP guidelines.

The answer to question 2 specifies that all activities should take place in an EU/EEA country, and that the time spent by the QP at the authorised site should be commensurate with the risks related to the processes” hereby taking place. To this instance, it is of paramount importance the ability to demonstrate that the QP acting from remote has maintained full knowledge of the products, manufacturing processes and pharmaceutical quality system (PQS) involved in the remote certification/confirmation of batches. That also means that the QP should be highly reliant on the PQS of the authorised site, and this would be only possible by spending an adequate time on-site to verify the adequacy of the PQS with respect to the processes of interest. The pharmaceutical quality system should also include details of all the procedures used for the routine remote certification/confirmation of batches. The possible use of this type of remote procedure by the QP should be also clearly mentioned in the technical agreement governing the relationship between the authorisation holder and the QP, which should also specify all cases requiring the presence on-site of the QP. A robust IT infrastructure should be in place to guarantee the remote access of the QP to all the relevant documentation in the electronic format needed to achieve bath certification/confirmation, according to the provisions described in Annex 16 to the GMPs (Certification by a Qualified Person and Batch Release). To this instance, presence on-site should be always considered to solve issues that cannot properly be addressed from remote. The demonstration of the presence on-site of the QP falls under the responsibility of the Manufacturing/Importers Authorisation (MIA) holders.

These are also responsible to make available to the QPs all the hardware and software needed to guarantee the remote access to the relevant documentation (e.g. manufacturing executions systems, electronic batch records system, laboratory information systems etc.) as well as batch registers. All IT systems used for remote batch release should comply with the requirements of Annex 11 to the GMP (Computerised Systems).

On the same basis, it should be possible for NCAs to contemporaneously access for inspection all documentation and batch registers involved in routine remote certification/confirmation at the authorised site of batch release. MIA holders should also guarantee the QP is the only allowed person to access the batch certification/confirmation function and batch register, that the transferred data are complete and unchanged, and that an adequate system for electronic signatures is in place.

Question 3 simply clarifies that some members states may have some specific requirements about the country of residence of the QP, for example it should be the same where the authorised site involved in the remote certification procedure is located.

The last question discusses technical requirements linked to IT-security and data integrity for remote access, a type of procedure presenting a higher intrinsic risk in comparison to the same activities carried on-site. Here again, the main reference is Annex 11; all equipment and software used for remote certification of batches should always reflect the current technological developments.

Among the suggestions made by the Q&A draft guideline is the precise identification of all hardware transferred off-site to the QP, that should be inventoried and kept updated. Hard disks should be encrypted, and ports not required disabled.

Attention should be also paid to the configuration of any virtual private network (VPN) used by the QP to improve the security of the connection to the IT infrastructure of the authorised site and to prevent unauthorised accesses. Authentication should be based on recognised industry standards (e.g. two-factor or multifactor authentication, with automatic date of expiry). The transfer of data should be secured by strong transport encryption protocols; assignment of individual privileges and technical controls falls under the responsibility of the MIA holder


The new Annex 21 to GMPs

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

by Giuliana Miglierini

The new Annex 21 to GMPs (C(2022) 843 final) that EIPG gave a significant contribution in reviewing the original draft and thoroughly presented it within a webinar to its members on August 2020, was published by the European Commission on 16 February 2022; the document provides a guideline on the import of medicinal products from extra-EU countries. The new annex will entry into force six months after its publication, on 21 August 2022. Its contents should be read in parallel with the EU Guide to Good Manufacturing Practice for Medicinal Products and its other annexes, those requirements continue to apply as appropriate.

Annex 21 details the GMP requirements referred to human, investigational and/or veterinary medicinal products imported in the European Union and European Economic Area (EEA) by holders of a Manufacturing Import Authorisation (MIA). The new Annex does not apply to medicinal products entering the EU/EEA for export only, as they do not undergo any process or release aimed to place them on the internal market. Fiscal transactions are also not considered as a part of the new annex.

The main principles

According to Annex 21, once a batch of a medicinal product has been physically imported in a EU/EEA country, including clearance by the custom authority of the entrance territory, it is subject to the Qualified Person (QP) certification or confirmation. Manufacturing operations in accordance with the marketing authorisation or clinical trial authorisation can be run on imported bulk and intermediate products prior to the QP certification/confirmation. To this regard, all importation responsibilities for both medicinal products and bulks/intermediates must be carried out at specific sites authorised under a MIA. These include the site of physical importation and the site of QP certification (for imported medicinal products) or QP confirmation (for bulk or intermediate products undergoing further processing).

Marketing authorisation holders (MAHs) for imported products authorised in the EU remain in any case the sole responsible for placing the products in the European/EEA market. Annex 21 requires sites responsible for QP certification to verify an ongoing stability program is in place at the third country site where manufacturing is performed. This last one has to transmit to the QP all the information needed to verify the ongoing product quality, and relevant documentation (i.e. protocols, results and reports) should be available for inspection at the site responsible for QP certification. QP’s responsibilities also extend to the verification that reference and retention samples are available in accordance to Annex 19 of the GMPs, and that safety features are placed on the packaging, if required.

Importation sites should be adequately organised and equipped to ensure the proper performance of activities on imported products. More specifically, a segregated quarantine area should be available to store the incoming products until the occurrence of release for further processing or QP certification/confirmation.

European GMP rules or equivalent standards shall be followed for the manufacturing of medicinal products in third countries due to be imported in the EU. The manufacturing process has to comply to the one described in the Marketing Authorisation (MA), the clinical trial authorization (CTA) and the relevant quality agreement in place between the MAH and the manufacturer. The respect of EU GMP rules or equivalent standards should be documented through regular monitoring and periodic on-site audits of the third country manufacturing sites, to be implemented by the site responsible for QP certification or by a third party on its behalf.

The QP of the importation site is also responsible for the verification of testing requirements, in order to confirm the compliance of the imported products to the authorised specifications detailed in the MA. The verification of testing requirements can be avoided only in the case a Mutual Recognition Agreement (MRA) or an Agreement on conformity assessment and acceptance of industrial products (ACAA) is in place between the European Union and the third country where the production of the medicinal product is located.

All agreements between the different entities involved in the manufacturing and importation process, including the MAH and/or sponsor, should be in the written form, as indicated by Chapter 7 of the EU GMP Guide.

The Pharmaceutical Quality System of the importing site

According to the European legislation (Chapter 1 of the EU GMP Guide), all activities performed in the EU with reference to the manufacturing and distribution of pharmaceutical products should fall under to umbrella of the company’s Pharmaceutical Quality System (PQS). This is also true for sites involved with importation activities, those PQS should reflect the scope of the activities carried out. A specific procedure should be established to manage complaints, quality defects and product recalls.

More in detail, the new Annex 21 establishes that sites responsible for QP certification of imported products (including the case of further processing before export with the exception of investigational medicinal products) have to run periodic Product Quality Reviews (PQR). In this case too, the respective responsibilities of the parties involved in compiling the Reviews should be specified by written agreements. Should the sampling of the imported product be conducted in a third country (in accordance with Annex 16 of the GMPs), the the PQR should also include an assessment of the basis for continued reliance on the sampling practice. A review of deviations encountered during transportation up to the point of batch certification should be also available, and a comparison should be run to assess the correspondence of analytical results from importation testing with those listed by the Certificate of Analysis generated by the third country manufacturer.

Full documentation available at MIA sites

The QP’s certification/confirmation step for an imported batch has to be paralleled by the availability of the full batch documentation at the corresponding MIA holder’s site; in case of need, this site may also have access to documents supporting batch certification, according to Annex 16. Other MIA holders involved in the process may access batch documentation for their respective needs and responsibilities, as detailed in the written agreements. A risk assessment is needed to justify the frequency for the review of the full batch documentation at the site responsible for QP certification/confirmation; the so established periodicity should be included in the PQS.

Annex 21 also lists the type of documents that should be available at the importation sites, including the details of transportation and receipt of the product, and relevant ordering and delivery documentation. This last one should specify the site of origin of the product, the one of physical importation and shipping details (including transportation route, temperature monitoring records, and customs documentation). Appropriate documentation should be also available to confirm reconciliation of the quantities of batches which underwent subdivision and were imported separately.

Requirements set forth in Chapter 4 of the GMPs apply to the retention of the documentation; the availability at the third country manufacturing site of an adequate record retention policy equivalent to EU requirements shall be assessed by the site responsible for QP certification. Should it be appropriate, translations of original documents and certificates should be provided to improve understanding.


The new PIC/S guideline on data integrity

, , , , , , , , , , , , , , ,

by Giuliana Miglierini

The long waited new PIC/S guideline PI 041-1 has been finally released on July 1st; the document defines the “Good Practices for Data Management and Data Integrity in regulated GMP/GDP Environments”, and it represents the final evolution of the debate, after the 2nd draft published in August 2016 and the 3rd one of November 2018.
While maintaining the previous structure, comprehensive of 14 chapters for a total of 63 pages, some modifications occurred in the subchapters. The Pharmaceutical Inspection Co-operation Scheme (PIC/S) groups inspectors from more than 50 countries. PIC/S guidelines are specifically aimed to support the inspectors’ work, providing a harmonised approach to GMP/GDP inspections to manufacturing sites for APIs and medicinal products.

Data integrity is a fundamental aspect of inspections
The effectiveness of these inspection processes is determined by the reliability of the evidence provided to the inspector and ultimately the integrity of the underlying data. It is critical to the inspection process that inspectors can determine and fully rely on the accuracy and completeness of evidence and records presented to them”, states the Guideline’s Introduction.
This is even more true after the transformation impressed by the pandemic, resulting in a strong acceleration towards digitalisation of all activities. The huge amount of data produced every day during all aspects of the manufacturing and distribution of pharmaceutical products needs robust data management practices to be in place in order to provide adequate data policy, documentation, quality and security. According to the Guideline, all practices used by a manufacturer “should ensure that data is attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available”. This means also that the same principles outlined by PIC/S may be used also to improve the quality of data used to prepare the registration dossier and to define control strategies and specifications for the API and drug product.
The guidance applies to on-site assessments, which are normally required for data verification and evidence of operational compliance with procedures. In the case of remote (desktop) inspections, as occurred for example during the pandemic period, its impact will be limited to an assessment of data governance systems. PIC/S also highlights that the guideline “is not intended to provide specific guidance for ‘for-cause’ inspections following detection of significant data integrity vulnerabilities where forensic expertise may be required”.

The impact on the entire PQS
PIC/S defines data Integrity as “the degree to which data are complete, consistent, accurate, trustworthy, and reliable and that these characteristics of the data are maintained throughout the data life cycle”.
This means that the principles expressed by the guideline should be considered with respect to the entire Pharmaceutical Quality System (and to the Quality System according to GDPs), both for electronic, paper-based and hybrid systems for data production, and fall under the full responsibility of the manufacturer or the distributor undergoing the inspection.
The new guidance will represent the baseline for inspectors to plan risk-based inspections relative to good data management practices and risk-based control strategies for data, and will help the industry to prepare to meet the expected quality for data integrity, providing guidance on the interpretation of existing GMP/GDP requirements relating to current industry data management practices without imposition of additional regulatory burden. PIC/S highlights that the new guidance is not mandatory or enforceable under the law, thus each manufacturer or distributor is free to voluntarily choose to follow its indications.

Principles for data governance
The establishment of a data governance system, even if not mandatory, according to PIC/S would support the company to coherently define its data integrity risk management activities. All passages typical of the data lifecycle should be considered, including generation, processing, reporting, checking, decision-making, storage and elimination of data at the end of the retention period.
“Data relating to a product or process may cross various boundaries within the lifecycle. This may include data transfer between paper-based and computerised systems, or between different organisational boundaries; both internal (e.g. between production, QC and QA) and external (e.g. between service providers or contract givers and acceptors)”, warns PIC/S.
Chapter 7 specifically discusses the Good document management practices (GdocPs) expected to be applied, that can be summarised by the acronyms ALCOA (Attributable, Legible, Contemporaneous, Original, Accurate) and ALCOA+ (the previous plus Complete, Consistent, Enduring and Available).
Data governance systems should take into consideration data ownership and the design, operation and monitoring of processes and systems. Controls should include both operational (e.g. procedures, training, routine, periodic surveillance, etc) and technical features (e,g, computerised system validation, qualification and control, automation or other technologies to provide control of data). The entire organisation should commit to the adoption of the new data culture, under a top-down approach starting from the Senior management and with evidence provided of communication of expectations to personnel at all levels. Sections 6 of the guideline provides some examples in this direction. The ICH Q9 principles on quality risk management should be used to guide the implementation of data governance systems and risk minimisation activities, under the responsibility of the Senior management. Efforts in this direction should always be commensurate with the risk to product quality, and balanced with other quality resource demands. In particular, the risk evaluation should consider the criticality of data and their associated risk; the guideline provides an outline of how to approach the evaluation of both these factors (paragraphs 5.4 and 5.5). Indication is also provided on how to assess the effectiveness of data integrity control measures (par. 5.6) during internal audit or other periodic review processes.
Chapter 8 addresses the specific issues to be considered with respect to data integrity for paperbased systems, while those related to computerised systems are discussed in Chapter 9. As many activities typical of the pharmaceutical lifecycle are normally outsourced to contract development & manufacturing organisations (i.e. API manufacturing, formulation, analytical controls, distribution, etc.), PIC/S also considered in the guideline the aspects impacting on the data integrity of the overall supply chain (Chapt. 10). “Initial and periodic re-qualification of supply chain partners and outsourced activities should include consideration of data integrity risks and appropriate control measures”, says the guideline.

The regulatory impact of data integrity
Recent years have seen the issuance of many deficiency letters due to problems with data integrity,. Approx. half (42, 49%) of the total 85 GMP warning letters issued by the FDA in 2018, for example, included a data integrity component.
The new PIC/S guideline provides a detailed cross-reference table linking requirements for data integrity to those referring to the other guidelines on GMPs/GDPs for medicinal products (Chapter 11). Guidance on the classification of deficiencies is also included in the document, in order to support consistency in reporting and classification of data integrity deficiencies. PIC/S notes that this part of the guidance “is not intended to affect the inspecting authority’s ability to act according to its internal policies or national regulatory frameworks”.
Deficiencies may refer to a significant risk for human or animal health, may be the result of fraud, misrepresentation or falsification of products or data, or of a bad practice, or may represent an opportunity for failure (without evidence of actual failure) due to absence of the required data control measures. They are classified according to their impact, as critical, major and other deficiencies.
Chapter 12 provides insight on how to plan for the remediation of data integrity failures, starting from the attention required to solve immediate issues and their associated risks. The guideline lists the elements to be included in the comprehensive investigation to be put in place by the manufacturer, as well as the corrective and preventive actions (CAPA) taken to address the data integrity vulnerabilities. A Glossary is also provided at the end of the guideline.