By Michael Gregor
An increase in federal FDA investigators has led to an elevated level of inspections across the United States and abroad. Consequently, there has been an array of new violations as well as repeat violations. Repeat violations result in the formation of industry trends and can be quite alarming when you consider that different areas of the country and world are making the same mistakes.
Some of the new violations I am seeing that have not been prevalent in the past are violations for the lack of computer system validation on quality system software as well as software embedded inside devices. A recent example of a violation from Olympus Temmo Biomaterials Corporation — Mishima Factory in Japan:
“Failure to validate computer software for its intended use according to an established protocol when computers or automated data processing systems are used as part of production or the quality system, as required by 21 CFR §820.70(i) (Production and Process Controls — Automated Processes). For example, the CAPA analysis of nonconformances, which is used at management meetings, is inadequate in that the report is computer-generated on a nonvalidated software system.”
Validating per intended use is a big sticking point to federal FDA investigators. Investigators want to ensure you are verifying your systems operate as intended so they do not perform errors when processing data, for example. There are several factors to consider when ensuring your system operates as intended; however, I will mention a few points here. Proper user requirements are important to ensuring your system has its intended use documented. If you document your intended use in your user requirements document, there is a high degree of assurance you will test your intended use, as there must be at least one test script per user requirement. In the case of the Olympus Temmo Biomaterials Corporation violation, they did not validate their CAPA (corrective and preventive action) analysis of nonconformances report and therefore, it was considered inadequate. You must be very careful when documenting your user requirements, as you must ensure you document everything you intend the system to do.
An example of a repeated violation is in regard to promotional materials on the Web. The Division of Drug Marketing, Advertising, and Communications (DDMAC) is the FDA’s watchdog for promotional materials on the Web. With social networking so prevalent these days, it is becoming much more challenging to monitor promotional materials for violations against the Federal Food, Drug, and Cosmetic Act. Just recently, Novartis Pharmaceuticals Corp was cited for violating the Federal Food, Drug, and Cosmetic Act. Specifically, the violations stated:
“These websites represent branded promotional material for Gleevec (imatinib mesylate). These websites are false and misleading because they promote the drug for an unapproved use, fail to disclose the risks associated with the use of Gleevec and make unsubstantiated dosing claims. Therefore, these websites misbrand the drug in violation of the Federal Food, Drug, and Cosmetic Act. Furthermore, it appears that these materials were neither submitted to FDA 30 days prior to the intended time of initial dissemination or initial publication as required by 21 CFR 314.550, nor submitted to the FDA on Form FDA 2253 at the time of initial dissemination or initial publication. These websites are concerning from a public health perspective because they promote Gleevec for an unapproved use, fail to disclose the risks associated with the use of Gleevec, and make unsubstantiated dosing claims about this medication that can put patients at higher risk of experiencing serious adverse events.”
Another example of a repeated violation is when management with executive responsibility fails to ensure an effective quality system as well as maintain that quality system across the organization. BioMedix, Inc. was cited by the FDA:
“Management with executive responsibility has not ensured that an adequate and effective quality system has been fully implemented and maintained at all levels of the organization. Specifically, inadequate complaint handling, periodic management reviews do not ensure that the quality system satisfies the requirements of the GMP, failure to manage Corrective and Preventive Action (CAPA), and infrequent internal quality audits.”
Unfortunately, when there is a lack of compliance from the top down, it is difficult for middle management to encourage their employees to enforce compliance with their customers.
Another very common FDA violation is the lack of an effective Quality Control/Quality Assurance (QC/QA) department. KV Pharmaceutical was cited with the following observation: “The responsibilities and procedures applicable to the quality control unit are not fully followed. Specifically, the QC/QA functions have failed.” This particular violation is not only frequent, but also alarming. If there is a fundamental breakdown in the QA and QC functions of an organization, there is a high risk the products they produce will be adulterated. Lastly, without the important checks and balances the QA and QC departments provide to its customers, processes end up out of control. The FDA views a situation like this very seriously, because it is reasonable to believe that if an organization is not following its procedures and the QA/QC functions have failed, then the entire organization is out of control.
We identified computer system validation as a new FDA violation that is becoming more prevalent in the industry. Additionally, we studied three more FDA violations pertaining to promotional materials, executive management responsibilities, and QA/QC responsibilities. These violations are frequently cited by the FDA and therefore fall into the “repeated violations” category. Now, let’s have a look at what organizational areas might be affected by the violations cited in this article and how you may mitigate the compliance risk associated with the violations.
Mitigating The Risk
First, let’s discuss the computer system validation violation. As mentioned, this violation is a new violation in the sense that FDA investigators are now increasingly citing companies for intended use computer system validation deficiencies. When you consider the vast amount of technology that drives our business processes, it would seem logical the FDA would begin to target electronic systems much more than in the past. The areas I would recommend you focus on to minimize your risk of receiving computer system validation intended use violations are IT, QA, regulatory affairs, and manufacturing. You should first identify all regulated applications and assess their validation documentation to ensure objective evidence is present and the documentation shows the system was validated per its intended use. Next, I would assess your standard operating procedures and work instructions to ensure they reflect current work practices and are functional for your business.
Let’s look at Novartis Pharmaceuticals Corporation’s violation, which falls under the “repeated violation” category. Novartis Pharmaceuticals was cited on misbranding its drug product through its promotional material listed on their website. The company basically promoted the drug for an unapproved use, failed to disclose associated risks, and made unsubstantiated dosing claims, which put the public at a higher risk of experiencing serious adverse events. The Internet is a very persuasive and powerful tool and, if used appropriately, can benefit a company greatly. Although Novartis used the Internet to its advantage, the company neglected to effectively evaluate the website content before going live with the site. The areas of operations I would target here are the regulatory affairs and marketing departments. It is important that the these two departments have a close relationship when it comes to the generation, analysis, and implementation of promotional materials. It would be prudent to have safeguards in place to ensure the regulatory affairs department approves all promotional materials generated by the marketing department.
The next repeated violation pertains to management with executive responsibility. Management at BioMedix, Inc. was cited for not ensuring that an adequate and effective quality system had been fully implemented and maintained at all levels of the organization. This FDA violation is very common, hence the label of “repeated violation.” I recommend targeting the QA department for this violation. QA is directly responsible for the quality system creation, implementation, and maintenance. To remedy the violation, I suggest the organization’s QA department perform an internal audit of the entire quality system. Document all of the observations and then bring in an outside auditor to perform another audit of the quality system. Having a third party audit your quality system is invaluable, as they often bring a vast amount of experience and a fresh pair of eyes that often see things you don’t. Once the audits are completed, it would be advantageous to classify the observations into two categories: major and minor. A major observation would have a direct impact on patient safety, whereas a minor observation would have an indirect impact on patient safety. Classifying the observations will allow your organization to prioritize the corrective actions for each observation. Prioritizing also helps with allocating resources where they are most needed. Finally, I recommend management sign off on the audit reports as well as the corrective actions report.
The last repeated violation we will discuss is from KV Pharmaceutical. This company was cited for its quality control unit not fully following its own procedures. Furthermore, the FDA stated the company’s QA/QC function had failed. For clarity, please note QA/QC is the same as the quality control unit. The QA/QC departments need to be targeted to rectify this violation. I recommend the QA/QC departments review all of their own procedures as well as customer procedures where they are reviewers and approvers. Taking these actions will help ensure the procedures can be updated to reflect current work practices, therefore leading to more consistent work practices and a controlled QA/QC environment.
Whether a common violation or one that is starting to be cited more by FDA investigators, these violations are all to be taken seriously. For example, the FDA’s Office of Compliance says that a warning letter is to be considered a legal threat. I recommend companies make reasonable corrective actions in a swift manner. I would also suggest the same approach for FDA 483s, as the response time for 483s has been reduced to 15 days. In fact, whenever your organization is required to collaborate with the FDA, it is best to reasonably resolve observations and act promptly.
About The Author
Michael Gregor is president of Compliance Gurus Inc., a compliance consulting and software solutions provider. Prior to forming his own company, Gregor acquired over 20 years of experience in the FDA-regulated industry. His areas of compliance expertise include: biological, OTC and pharma drugs, cosmetics, dietary supplements, foods, and medical devices.
Used with permission from Life Science Leader magazine.