OR WAIT null SECS
R.C. McDowall is the principle of McDowall Consulting and director of R.D. McDowall Limited, and "Questions of Quality" column editor for LCGC Europe, Spectroscopy's sister magazine.
Two recent warning letters show that the US FDA is substantially increasing the amount of remediation work it requires for companies to correct data integrity noncompliance. That work can be very expensive—far exceeding the cost of ensuring compliance in the first place.
English is hopeless as there is no word for it. Spanish? Nope. French? Forget it. Chinese? Not a clue. In contrast, German has the word for it. What is it? Schadenfreude. Huh? Schadenfreude is defined by Wikipedia as the experience of pleasure, joy, or self-satisfaction that comes from learning of or witnessing the troubles, failures, or humiliation of another.Has this column turned into a language lesson? No. Rather, my goal is to teach you that it is better to be compliant than not.
Previously, my focus in previous “Focus on Quality” columns has been mainly on instances of noncompliance found in FDA Form 483 observations and warning letters, such as a recent review of cases of infrared (IR) spectrometer noncompliance (1). However, in this installment, I discuss the extensive and expensive remediation activities required by the FDA in two July 2020 warning letters issued for data integrity violations by two U.S. companies, Stason Pharmaceuticals and Tender Corporation (2,3).
What is the relationship of this to schadenfreude, you may ask? Wait until you see the scope and detail of the work required by the FDA to remediate the noncompliance by these two companies. It looks like the FDA is losing patience with the pharmaceutical industry and is sending an unmistakable message to companies to get their data integrity act together.
Use schadenfreude as described here to serve as a warning to check how compliant your laboratory processes and systems are now. Being inspection-ready is always preferable to having an inspector uncover noncompliant bodies that have been buried. Before we get into the miasma of these noncompliances, we need first to understand and discuss the costs of compliance and noncompliance.
Is That All a Regulation Says?
The problem in the pharmaceutical industry is that many analytical chemists in the industry have never read the regulations they have to comply with, because the regulations have been interpreted in the past by the organization. However, reading, understanding, and interpreting regulations is critical. Take for example the U.S. Good Manufacturing Practices (GMP) regulations for equipment in 21 CFR 211.63. We can boil down the 35 words of this clause into three simple requirements, that instruments:
That’s all it says. However, these words need to be interpreted in combination with USP <1058> (5):
Given that the regulations state only the minimum required elements, these regulations have spawned an industry of writers to interpret these regulations through regulatory guidance documents, a pharmacopeial general chapter, publications from scientific societies, and articles by individuals like me (5–10).
Even with all these publications, there is still the choice of how to implement these regulations in an individual laboratory for each analytical instrument and computerized system. Interpretation of pharmaceutical regulations is always a balance between the cost of compliance against the cost of noncompliance. Remember also that any work in a GMP-regulated laboratory must be scientifically sound under 21 CFR 211.160(b) (4). Figure 1 illustrates the balance between the costs of compliance and noncompliance.
Cost of Compliance vs. Cost of Noncompliance
Risk management is one of the requirements for the pharmaceutical industry following the publication of the FDA’s GMPs for the 21st Century document and the ICH Q9 guideline on quality risk management (11,12). The work required in a regulated laboratory is dependent on a justified and documented risk assessment that must also be scientifically sound. This discussion can be summarized as the balance between the cost of compliance and the cost of noncompliance. Each laboratory makes decisions along a spectrum that ranges from doing nothing to doing everything possible, and this decision determines how much regulatory and business risk a company wishes to mitigate or carry as well as how much money the company wishes to spend.
The left-hand vertical axis of Figure 1 is the cost of noncompliance and the right-hand vertical axis shows the cost of compliance. You will note that the cost of noncompliance axis is much bigger than the cost of compliance axis. One viewpoint is that one axis is logarithmic, and the other is linear. Guess which one is linear? This is one of the balances you need to consider: The right-hand side shows the cost of doing it right the first time, and the left-hand side is the cost of getting caught. Fixing a regulatory problem that has been identified in a warning letter is always more expensive than doing the right thing the first time, or even of finding a problem and fixing it yourself. If anyone is in doubt about the cost of noncompliance for data integrity violations, I suggest that you read a consent decree, such as that for Ranbaxy (14). In that consent decree, the cost of noncompliance can be quantified as hundreds of millions of dollars.
In Figure 1, the horizontal axis is the percentage of compliance from 0 to 100%. The only fixed points are at the ends of the scale where 0% indicates no control of the process or system and 100% is where anything that can be compliant is compliant. In between 0 and 100% is a relative scale of compliance. The major point to note is that this scale is not fixed but moves as indicated by the arrow at the bottom of the figure. However, the direction of movement is only one way and that is to the right! To understand this point, consider the situation with data integrity. The FDA GMP regulations have changed little since 1978 and have always contained data integrity requirements. However, since the Able Laboratories fraud case in 2005 and the discovery of industrial-scale data falsification and poor data management practices, we have seen regulatory authorities issue guidance documents on the topic and enforce the regulations more strictly (15–20). Because of the proactive monitoring by regulatory authorities, the compliance scale has moved to the right.
Because data integrity has been a major compliance topic for the past 15 years, you would think that organizations would have taken the hint and started assessment and remediation projects already. Apparently, this is not the case. There have been many past warning letters highlighting the issues that are common in the two warning letters that we review in this column. Notwithstanding the availability of those letters on the FDA’s website, apparently little if anything was been done at Stason Pharmaceuticals or Tender Corporation to even assess if there were any problems; such an effort was solely the responsibility of senior management. Also, little if any effort had been made at these companies to assess the compliance landscape, see the trends in inspections, and plan ahead. Then again, even if there was the knowledge of compliance trends at those companies, would either organization have done anything different? One has to wonder. For those working in organizations that are aware of the data integrity issues and are working to remediate the problems, you can have a little schadenfreude smirk.
Who is on the Naughty Step Today?
We are now ready to consider the cost of noncompliance of two warning letter remediation plans mandated by the FDA (2,3). These are as follows:
The main citations from both warning letters are shown in Figure 2. Interestingly, both organizations are U.S. companies and not located in India or China, reinforcing that data integrity is a global problem. Both warning letters were issued by the FDA’s Division of Pharmaceutical Quality Operations.
What is interesting is that Stason is cited under 21 CFR 211.68(b) for failing to control computer systems and Tender is cited under 21 CFR 211.160(b) for a failure of laboratory controls. However, each company is required to submit a comprehensive remediation plan for data integrity but from different clauses of the U.S. GMP regulations. So what? The what is a nearly identical list of remediation activities contained in both FDA warning letters that support my contention that the cost of non-compliance is significantly larger than the cost of compliance.
A Comprehensive Remediation Plan
Both warning letters require comprehensive corrective action and preventive action (CAPA) plans, shown at the bottom of Figure 2, and the wording is identical:
A comprehensive, independent assessment and corrective action and preventive action (CAPA) plan for computer system security and integrity. Include a report that identifies vulnerabilities in the design and controls. Also include appropriate remediations for each of your laboratory computer systems. This should include but not be limited to…
Let us analyze this single paragraph in some detail:
At the end of every warning letter is the following paragraph:
The violations cited in this letter are not intended to be an all-inclusive list of violations that exist at your facility. Inspections and audits sample and only identify problems seen during the visit.
Inspections and audits sample and only identify problems seen during the visit. The regulatory expectation is that a systems approach is taken and if there is a problem with user account management seen with one computerized system, then an assessment of all systems should be undertaken. In addition, during the assessment of processes and systems a new non-compliance is identified, fix it! This is in contrast to the traditional QA mentality to just answer the question asked and not to think wider.
From a single paragraph in each warning letter you can sense that this remediation plan will be extensive and expensive. This program of work is not a two-minute job and with external involvement in all aspects of the preparation, this work will not be cheap. Remember the sentence at the end of the paragraph: “This should include and not be limited to…more work may be required than listed in the warning letter.” This is a consulting opportunity by invitation of the FDA. My spectroscopic schadenfreude-o-meter is starting its inexorable rise into the red zone and warning lights are flashing down at quality control!
It is interesting that many organizations claim that they never have any money available for improvements or time to do compliance work. It is strange that following the receipt of a 483 and especially a warning letter, money and resources flow like water over Niagara Falls. Now you can begin to see how the cost of non-compliance is much more than the cost of compliance. With the former, you have the boot of a regulatory agency inserted in places it should not be inserted, combined with an urgent timetable from the company to resolve the non-compliance. In comparison, a well documented risk management approach that is defendable has a fraction of the cost. Not convinced yet that the cost of compliance is less than the cost of noncompliance? Before we see the evidence to support my contention, as we enter into the valley of noncompliance death, we need to discuss my data integrity model. This is necessary to understand the scope of data integrity within the context of a pharmaceutical quality system.
Reprising A Data Integrity Model
The analytical portion of my data integrity model has featured in this column before and the full model in other publications of mine (10,13,21–23). It consists of four layers analogous to building a house plus quality oversight and is presented in Figure 3. This model is important because we map the citations in the warning letters against the four levels of the model. The analogy with building a house is that if there is no foundation, the house collapses. This analogy is important to remember when we review the warning letters and analyze the remediation. Although the full model shows three levels of production and quality control (QC) analysis, we will only consider the foundation, analytical levels, and quality assurance (QA) oversight in the analysis of the warning letters. The layers of the model are:
The whole of this model must exist within a company’s pharmaceutical quality system. Each part of the FDA-required remediation plan will be mapped to one or more parts of this model using the annotations in parenthesis in the bullet list above.
Getting into the Detail
Here’s where we go into detail for the remediation CAPA plan. If you think the overview discussed above was bad, wait until you see what is coming. Figure 3 shows the minimum elements of the data integrity remediation required by the FDA of Stason Pharmaceutical and Tender Corporation. Item 12 in Figure 3 is exclusive to the latter company. Visualizing each plan is essential to have a better understanding of the scope and detail of the remediation required, which are extensive. Please note that the elements of the plan in Figure 3 have had the text edited so that the figure is manageable.
In contrast, Table I presents the data integrity remediation tasks in both the Stason Pharmaceuticals and Tender Corporation warning letters, and the one additional requirement required of Tender Corporation is added at the bottom of this table. Table I consists of three columns:
Remediation Requirements Review
We discussed the main features of a data integrity model earlier and each of the remediation requirements of the FDA in Table I are mapped against the layers of this model. Figure 4 shows the required remediation activities mapped visually against the model. This mapping is illuminating because both organizations have failed to implement basic GMP requirements in terms of data governance and associated training at the foundation and failed totally at level 1 to ensure that analytical instruments and computerized systems are fit for their intended use.
This figure also reinforces a key point that has been made since the inception of this model: If you don’t get the lower levels of the data integrity model correct, then whatever data integrity efforts are implemented at the upper layers become worthless. Of interest is the fact that level 2 is not mentioned at all in the remediation requirements because of the scope and depth of the non-compliances cited in Table I were such a shambles that the inspectors did not need to look closely at how analytical procedures were verified or validated.
The issues mapped to level 3 are, in part, a direct result of failures at the foundation and level 1. For example, because audit trails have not been implemented and validated at level 1, there is a consequential requirement for a procedure and training on how to review the entries during batch analysis at level 3. Security and access control appear conspicuous by their absence before the inspection as there is a major remediation effort to attribute work to individuals and avoid conflicts of interest when accessing systems, another level 1 failure. The failure to meet the requirement for complete data to be generated during testing is a fundamental failure in training staff in good documentation practices and data integrity including the meaning of complete data at the foundation level.
Continuing with omissions in the foundation, the spotlight now turns full beam on management. Management is not treated very kindly as there appears to be an abject failure of executive leadership with respect to data integrity and data governance. This is a fully deserved citation as data integrity begins and ends with executive management. Management is responsible for the pharmaceutical quality system and this is made crystal clear in GMP and good laboratory practices (GLP) regulations (24–26) as well as in regulatory guidance documents on data integrity (16–20). Any data integrity program requires resources, time, and funding for the assessment and remediation of processes and systems including updating or replacing inadequate systems. Executive management bears sole responsibility for this work.
The QA departments in these firms also appear to be inept, given that FDA’s remediation has the explicit requirement for quality staff with IT knowledge. It seems likely that the focus of quality oversight was only on paper records, possibly with paper printouts from the computerized systems being defined as the “raw data.” This is despite the fact that the FDA has had a level 2 guidance on why electronic records take priority over paper printouts available since 2010, which is publicly available on the agency’s web site (27). This position was reiterated in the 2018 data integrity guidance from the agency (19).
There is an initial remediation emphasis on procedural controls but the longer-term focus is directed by the FDA to technical controls. Overall, there should be elimination of paper by interfacing instruments, such as pH meters, and analytical balances to a laboratory information management system (LIMS). This is a crucial approach as procedural controls are operated by humans but consistency and identifying errors are not a given. Technical controls that have been validated can be operated consistently and enforce a procedure and hence GXP compliance, this is a far better approach compared to procedural controls.
Sometimes I get a feeling that an independent assessment of the current working practices will open one or more cans of worms for the company, and my schadenfreude-o-meter is ready to tick up a notch or two.
The focus of the FDA’s remediation requirements at level 1 of the model appears to indicate that both organizations did little more than install all analytical systems and then operate them in default mode. The systems themselves were either poorly designed (no database or audit trails were never turned on) or badly implemented, because it was possible to delete data. Because there are numerous citations for data deletions or failing to report all data, the remediations will be very expensive, coupled with the two independent assessments of systems and working practices.
A Bonus Remediation Task
In addition to the work required under the comprehensive and independent CAPA plan listed in Table I, there is a second major data integrity remediation requirement for Stason:
A complete assessment of documentation systems used throughout your manufacturing and laboratory operations to determine where documentation practices are insufficient. Include a detailed CAPA plan that comprehensively remediates your firm’s documentation practices to ensure you retain attributable, legible, complete, original, accurate, contemporaneous records throughout your operation (2).
How best to summarize this paragraph? Your quality management system is terrible. Fix it. This is a massive project in addition to all the other remediation work. Here the whole organization’s quality management system (QMS) and all methods of recording regulated activities, both in the laboratory and in production, have been brought into question. If the agency cannot trust the data, what hope is there for the company other than a complete reassessment of policies and procedures within the QMS? This work must run in parallel with the data integrity remediation discussed above. There will be multiple interactions between the two projects to ensure attributable, legible, contemporaneous, original, and accurate (ALCOA) principles are applied while completing data and record integration into the foundation of what the company does. This work applies not just to paper but also to hybrid and electronic records. This extensive remediation project can be mapped to the foundation level of the data integrity model.
Noncompliance Can Seriously Damage Your Wealth
When a company receives an FDA warning letter, there are several consequences, many of which will result in additional costs that we have not covered yet.
We have discussed how to interpret pharmaceutical regulations with the careful balance between the cost of compliance with the cost of non-compliance. The two warning letters discussed here clearly demonstrate that it is easier and cheaper to be compliant rather than face the consequences of remediating noncompliance. Will organizations listen, eliminate paper, and move to automated processes with validated technical controls to ensure compliance and data integrity? That is the $64,000 question (cost of compliance) or $64,000,000 question (cost of non-compliance). If your organization is compliant, you can experience schadenfreude.
I would like to thank John English whose work of posting FDA 483 observations and warning letters on LinkedIn led to the genesis of this article, and Chris Burgess, Paul Smith, and Kevin Roberson for helpful comments during preparation.
R.D. McDowall is the director of R.D. McDowall Limited and the editor of the “Questions of Quality” column for LCGC Europe, Spectroscopy’s sister magazine. Direct correspondence to: SpectroscopyEdit@MMHGroup.com