DATA INTEGRITY INSPECTION PERSPECTIVES

Transcription

1 DATA INTEGRITY INSPECTION PERSPECTIVES Mock Inspection - Thinking Discussion & Exercises Jay Waterbury and Loren Smith MMRC/MPRL/ /2017

2 Overview and Objectives Introduction and Setup Data Integrity Interactive Discussion Part 1 Inspection Lifecycle, Perceptions Balancing Messages Approach to an Inspection Warning Letters / 483s Data Integrity Interactive Discussion Part 2 2

3 Otto von Bismarck Only a fool learns from his own mistakes. The wise man learns from the mistakes of others. 3

4 Exercise Review the provided information and derive a proposed reply to the agency that would satisfy the agency s expectations and stop this (in conjunction with other possible issues) from leading to a Consent Decree. Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and to provide adequate controls to prevent omission of data. Our investigator found that your (b)(4) system used for (b)(4) and (b)(4) testing lacked access controls and audit trail capabilities. For example, all employees had administrator privileges and shared one user name, so actions could not be attributed or traced to specific individuals. This exposed your electronic data to manipulation and/or deletion without traceability. Our investigator also noted that your firm copied raw data to a CD (b)(4), and then deleted the data from the (b)(4) system to free space on the hard drive. Files copied to the CD were selected manually; the selection process was not supervised. Without audit trail capabilities or supervised file selection, there was no assurance that all raw data files were copied to the CD before they were permanently deleted from the system. We acknowledge your commitment to hire a third-party expert to install audit trails and other controls to ensure that data cannot be deleted from this electronic system. However, your response was inadequate. Simply preventing data deletion is not sufficient. You did not show how these steps will ensure that your firm retains and evaluates all data, including laboratory data, created as part of a CGMP record prior to release of your product. In your response to this letter, 4

5 Inspection Lifecycle Preparation Event After Event 5

6 Perspectives Industry Brain FDA Brain 6

7 FDA Enforcement Tools and Options Advisory actions (483s, Untitled Letters, Warning Letters) documented warnings which the FDA informs companies of situations the agency believes may constitute violations, in an effort to stimulate voluntary compliance. two-phased objective emphasizes voluntary compliance, but the background of warning is important both because it provides a level of due process but also for the FDA, because it strengthens the case for escalation when voluntary efforts fail Administrative actions Administrative detention Import detention and refusal to permit entry Biologics License Application suspension or revocation Judicial actions (civil and criminal) Civil actions Product Seizure Injunction Criminal prosecution can be sought in regulatory cases (rare but does happen) and for crimes of intent involving deliberate violations 7

8 Warning Letters of relevance Shandong Analysis and Test Center 6/22/17 (China) MedPharmex, Inc. 5/17/17 (California) Huron Pharmaceuticals, Inc. 4/20/17 (Michigan) Divi's Laboratories Ltd. (Unit II) 4/13/17 (India) Mylan Laboratories Limited, (Nashik FDF) 4/3/17 (India) Chongqing Pharma Research Institute Co., Ltd. 2/14/17 (China) FACTA Farmaceutici S.p.A. 1/13/17 (Italy) Morton Grove Pharmaceuticals, Inc. 2/17/17 (Illinois) Sato Yakuhin Kogyo Co., Ltd. 1/6/17 (Japan) All means all. And all is all all means. Brent Kall 8

9 Exercise Review the provided information and derive a proposed reply to the agency that would satisfy the agency s expectations and stop this (in conjunction with other possible issues) from leading to a Consent Decree. Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and to provide adequate controls to prevent omission of data. Our investigator found that your (b)(4) system used for (b)(4) and (b)(4) testing lacked access controls and audit trail capabilities. For example, all employees had administrator privileges and shared one user name, so actions could not be attributed or traced to specific individuals. This exposed your electronic data to manipulation and/or deletion without traceability. Our investigator also noted that your firm copied raw data to a CD (b)(4), and then deleted the data from the (b)(4) system to free space on the hard drive. Files copied to the CD were selected manually; the selection process was not supervised. Without audit trail capabilities or supervised file selection, there was no assurance that all raw data files were copied to the CD before they were permanently deleted from the system. We acknowledge your commitment to hire a third-party expert to install audit trails and other controls to ensure that data cannot be deleted from this electronic system. However, your response was inadequate. Simply preventing data deletion is not sufficient. You did not show how these steps will ensure that your firm retains and evaluates all data, including laboratory data, created as part of a CGMP record prior to release of your product. In your response to this letter, 9

10 In response to this letter, provide the following Time frame? People? Facilities? Data evaluation strategy? Submitted data? Systems? Risk? Management commitment? CAPA? Status reports When did the data integrity issues potentially occur? Who was involved? Who was responsible? Does the data match the interviews? Where else in your company might these issues have occurred? What data will be reviewed? How much? How were these decisions made? Does the data match what was submitted in the CMC or other filings? What other systems may have data integrity concerns? What is the risk of the data integrity problems to patient safety and product quality? How is management showing that they are taking the Agency s concerns seriously? Are there any appropriate field actions that need to be taken? Recalls, notices to healthcare providers? Are the entire set of activities occurring according to commitments? If not, why not, and what is being done? 10

11 In response to this letter, provide the following Sun Pharmaceutical Industries Limited - Karkhadi 5/7/14 Divi's Laboratories Ltd. (Unit II) 4/13/17 1. Identify any historical period(s) during which inaccurate data reporting occurred at your facilities. 2. Identify and interview your current employees who were employed prior to, during, or immediately after the relevant period(s) to identify activities, systems, procedures, and management behaviors that may have resulted in or contributed to inaccurate data reporting. 3. Identify former employees who departed prior to, during, or after the relevant periods and make diligent efforts to interview them to determine whether they possess any relevant information regarding any inaccurate data reporting. 4. Determine whether other evidence supports the information gathered during the interviews, and determine whether additional facilities were involved in or affected by inaccurate data reporting. 5. Use organizational charts and SOPs to identify the specific managers in place when the inaccurate data reporting was occurring and determine the extent of top and middle management involvement in, or awareness of, data manipulation. 6. Determine whether any individual managers are still in a position to influence data integrity with respect to CGMP requirements or data submitted to the agency. 7. Expand your internal review to any other facilities determined to be involved in, or affected by, inaccurate data reporting. 8. Include a report that describes in detail the criteria used to determine the identity of the data files generated from the testing of batch, standard, or system suitability samples. The report should include examples of the use of these criteria, as well as identify which data files are standards and samples. In addition, include the procedures followed to prepare samples for system suitability runs (i.e., procedures followed to spike impurities into samples), and to handle product samples and the data files. This assessment should be conducted for both GC and HPLC data. 9. As part of this comprehensive data integrity audit of your laboratory, your audit report also should include any discrepancies between data or information identified in approved applications, and the actual results, methods, or testing conditions submitted to the Agency. Include an explanation of the impact of all discrepancies. Provide a corrective action plan describing the specific procedures, actions, and controls that your firm will implement to ensure integrity of the data in the future. This should cover method validation and any test data (e.g., stability tests, release tests) you have obtained. A. A comprehensive investigation into the extent of the inaccuracies in data records and reporting. Your investigation should include: A detailed investigation protocol and methodology; a summary of all laboratories, manufacturing operations, and systems to be covered by the assessment; and a justification for any part of your operation that you propose to exclude. Interviews of current and former employees to identify the nature, scope, and root cause of data inaccuracies. We recommend that these interviews be conducted by a qualified third party. An assessment of the extent of data integrity deficiencies at your facility. Identify omissions, alterations, deletions, record destruction, non-contemporaneous record completion, and other deficiencies. Describe all parts of your facility s operations in which you discovered data integrity lapses. A comprehensive retrospective evaluation of the nature of the testing data integrity deficiencies. We recommend that a qualified third party with specific expertise in the area where potential breaches were identified should evaluate all data integrity lapses. B. A current risk assessment of the potential effects of the observed failures on the quality of your drugs. Your assessment should include analyses of the risks to patients caused by the release of drugs affected by a lapse of data integrity, and risks posed by ongoing operations. C. A management strategy for your firm that includes the details of your global corrective action and preventive action plan. Your strategy should include: A detailed corrective action plan that describes how you intend to ensure the reliability and completeness of all of the data you generate, including analytical data, manufacturing records, and all data submitted to FDA. A comprehensive description of the root causes of your data integrity lapses, including evidence that the scope and depth of the current action plan is commensurate with the findings of the investigation and risk assessment. Indicate whether individuals responsible for data integrity lapses remain able to influence CGMP-related or drug application data at your firm. Interim measures describing the actions you have taken or will take to protect patients and to ensure the quality of your drugs, such as notifying your customers, recalling product, conducting additional testing, adding lots to your stability programs to assure stability, drug application actions, and enhanced complaint monitoring. Long-term measures describing any remediation efforts and enhancements to procedures, processes, methods, controls, systems, management oversight, and human resources (e.g., training, staffing improvements) designed to ensure the integrity of your company s data. A status report for any of the above activities already underway or completed. 11

12 Open discussion Questions? 12

13 THANK YOU 13