Free Sample Issue: Proposed CGMP Requirements for Compounding Facilities, SaaS & SaMD: Harmonizing QSR with IEC 62304 + Warning Letter Breakdown
Minimum CGMP requirements may be formally coming to compounding facilities. We also look at SaaS and SaMD through the lens of QSR and ISO and break down a major device warning letter.
Welcome to Insider issue #3.
Today, we look at FDA’s proposed minimum CGMP requirements for outsourcing facilities that compound drugs, harmonizing QSR and IEC 62304 for SaaS and SaMD products, and a warning letter to a large device firm.
Key points revised and summarized:
Regulations on CGMPs specific to outsourcing facilities—proposed new rule for compounding facilities
Firstly, we want to discuss regulations pertaining to CGMP specific to outsourcing facilities as outlined in FDA's recent Unified Agenda. This is a proposed new rule for compounding facilities. The proposed rule is expected to be published in July of 2022. FDA is expected to establish the minimum CGMP requirements for human drugs compounded by outsourcing facilities.
The actual rule as published is presented here, and notably, the abstract indicates that this rule would set forth the CGMP requirements for human drug products compounded by an outsourcing facility. Quality consultants' commentary for the compounding facility leadership would be
Minimum CGMP requirements for processes associated with compounding should increase consistency.
Quality system implementation, including records and investigations of deviations with corrective action and preventive action, training, and quality oversight of compounding activities may represent significant gaps from what's currently occurring.
Quality system implementation should be discussed with an experienced GMP quality professional, and this consultation should include a gap analysis of all systems' design and implementation and a strong training program.
Going deeper: Advice from Gary E. Ritchie excerpted from The FDA Group’s webinar and accompanying white paper: The Importance of CGMP to the Safety of Compounded Drugs
Complying with CGMPs: the first step
Just as drug manufacturers produce drug products using a systems approach that acts as a set of controls to meet a previously described product specification, compounding pharmacies have been required to demonstrate that CSP/CP are produced using the same systems since the passage of the Drug Quality and Security Act in 2013.
DQSA dictates that without toxicology or clinical studies to demonstrate safety and efficacy, the only recourse the public has is to rely on a number of indicators of proof of purity, safety, and efficacy, such as:
Compounding pharmacists’ ability to demonstrate that they have used approved drug substances to make their product;
that they don’t make copies of already approved drug products;
that they adopt and adhere to CGMP rules that dictate that they don’t make their product in unsanitary conditions;
that they use validated processes;
that they use qualified and calibrated equipment;
that they are trained operators and analysts;
that they test their product by an FDA-registered laboratory (that also operates under CGMP) before it is prescribed, compounded, and dispensed to a patient.
A pharmacist may comply with this system of controls by first instituting a key component of CGMP that allows a compounding pharmacy to be run and ably managed such that all of the requirements under CGMP are effectively met, by first adopting and then committing to a quality management system (QMS).
The basic components of a QMS that compounders should consider
At its most basic level, a QMS ensures that four main criteria of a DP and CSP/CP that directly impact patient safety are met: quality, identity, strength, and purity (free of contaminants such as bacteria and endotoxins). The QMS is designed to ensure these criteria are met by dividing its process into eight elements:
Document Management System
Investigation/ Out-of-Specification (OOS) Management System
Corrective Action Preventive Action (CAPA) Management System
Deviation/Incident Management System
Change Control Management System
Complaints Management System
Audit Management System
Training Management System
Calling out a few trouble areas
Consider the ongoing practice of potency over time testing (POT) for determining beyond use dating (BUD) as a surrogate for stability testing of compounded preparations. POT is not an accepted methodology according to CGMP because it does not answer two key questions that stability studies, as defined by CGMP regulations seek answers to:
Has the active drug substance or other components of a compounded preparation degraded at its recommended labeled storage condition?
Are the byproducts of these degradants present at levels that could pose a health risk to the patient?
Also consider the contention by some pharmacists that a CSP/CP shelf life can be determined by the length of time that a formulation maintains its potency (strength, or the amount of the active drug substance) within its acceptance criteria (typically 90.0 – 110%) of its nominal dosage amount.
Manufacturers of approved drugs must demonstrate shelf life by determining the amount of degradation that a product undergoes by a rigorous analytical testing methodology that is specific and sensitive to the presence of degradants in the compound. The active drug, components, and degradants are tracked by a designed study interval of time to ensure that the product remains stable over its calculated and derived shelf life (also referred to as expiry dating).
To ensure there is recourse to test the product while it is on the market, a representative sample (or retain container of each and every lot released) is maintained at the labeled storage conditions so in the case of an adverse event or other activity requiring the re-assay of the marketed product, the retained sample is tested and compared against the complaint sample if it exists, and the resulting test result is assessed for both identity, potency/strength, and the presence of any new degradants that may have formed in the retain sample stored under controlled label storage conditions. This cannot be done with CSP/CP because no degradants are ever measured at the time of the POT test point, only the potency/strength is determined on the active ingredient.
It has been argued that where a stability-indicating assay method is used in some cases for POT determination, this in effect a stability study. But this is in fact not true. Degradants are not identified or quantified against a known reference standard, so the true “mass balance” of the actual assay value is never truly known if degraded material is present.
This presents a serious problem to the FDA since CSP/CP are not approved products. Furthermore, their safety in human and animal trials has not been demonstrated. The pharmacists and the SBOP are at an impasse on this issue, but the FDA is not. The number of inspectional observations for lack of stability data in support of a marketed product is steadily increasing.
The FDA guidance for stability (December 2008) states, “there can be only one set of standards. Samples of products (from production lots) on stability should be representative of those in the marketplace. Expiration dating is based on the ability of the product to be measured over a certain period of time against the established specifications or standards.”
Thirdly, the continued lack of good documentation practices will be a deciding factor in whether the compounding industry can keep pace with other requirements evolving in the drug manufacturing industry. Supply chain and data integrity is undergoing significant evolution with emerging blockchain technology. This technology has been introduced as an IT solution for creating and maintaining a secure and permanent supply chain, process, and quality record of every step taken for every batch manufactured. As the drug industry evolves from batch manufacturing to continuous manufacturing modes, technological solutions will be required to meet the exponentially growing volume of data—the so-called “big data” explosion. What does this mean for compounding? The current requirement in DQSA for a robust QMS that includes a reliable and sustainable documentation management system is a relatively simple requirement compared to the emerging blockchain technology.
The bottom line: A QMS comprising the six systems of control followed presents elements that, if implemented by compounding pharmacies correctly, will ensure a state of control and provide state and federal inspectors with a common standard from which an assessment of the state of compliance can be made. Pharmacists should focus on adopting CGMP quality management system practices and analytical stability testing as opposed to potency over time (especially with respect to the lack of appropriate stability testing of CSP/CP and the improper transfer of POT/BUD data across multiple compounders possessing the same formulation) and emerging IT developments to enhance data integrity and overall quality records that are being made. (Talk to us if you need help putting such a QMS in place.)
Software as a Service (SaaS) and Software as a Medical Device—harmonizing QSR with IEC 62304
Software as a Medical Device ranges from software that allows a smartphone to view images obtained from a magnetic resonance imaging (MRI) medical device for diagnostic purposes to Computer-Aided Detection (CAD) software that performs image post-processing to help detect breast cancer.
The International Medical Device Regulators Forum (IMDRF) Software as a Medical Device Working Group published a possible risk categorization framework for SaMD. This framework has four categories (I, II, III, and IV) based on the levels of impact on the patient or public health where accurate information provided by the SaMD to treat or diagnose, drive or inform clinical management, is vital to avoid death, long-term disability or other serious deterioration of health, mitigating public health. The Level IV category is SaMD with the highest impact on the patient or public health. Level I is the lowest.
Software that is connected to a hardware medical device (rather than being an accessory) but isn’t needed to achieve that medical device’s intended medical purpose is considered SaMD.
Two of the biggest advantages include improved health outcomes through more accurate data as well as quicker production and feedback, leading to faster innovation.
Two of the biggest advantages include improved health outcomes through more accurate data as well as quicker production and feedback, leading to faster innovation.
According to the IMDRF, software as a medical device is defined as “software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.”
Any software that is an entity on its own without an associated hardware device can be classified as SaMD. For example, the software that computes the drug dosage based on patient data can be classified as a SaMD whereas software within a device that dispenses medication is not SaMD.
QSR review: the DHF
Your DHF should comprise and organize all files and documents comprising the development of your medical device for easy reference. It should contain the following records:
Design Inputs — references to all of your development processes
Design Outputs — references to build the device
Design Reviews — meeting minutes, consensus reports, etc. (Does the design make sense?)
Design Transfer — often considered technology transfer to manufacturing
Design Verification/Validation — GAMP V Model based
QSR review: the DMR
Your DMR should contain all the instructions, schematics, drawings, charts, etc. Everything needed to build and test your device is located here. Again, organization is the key, as well as document version control. For the device, the FDA only requires you to reference the required documents, not duplicate them. A lot of the documents required for the DMR should already exist in the DHF.
A good trace matrix would help to easily map where reference files are located. This would keep you from stumbling through an audit trying to find DHF and DMR reference files.
QSR review: the DHR
The DHR should contain references for:
The dates of manufacture;
The quantity manufactured;
The quantity released for distribution;
The acceptance records, which demonstrate the device is manufactured in accordance with the DMR;
The primary identification label and labeling used for each production unit; and
Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used.
Each manufacturer shall establish and maintain procedures to ensure that DHRs for each batch, lot, or unit are maintained to demonstrate that the device is manufactured in accordance with the DMR and the requirements of this part.
The DHR should contain all the information, history of the device, and all the details that went into making it according to the DMR. The DHF should contain all the information, and history, of the design process.
Simple review criteria for your QMS
Is it simple?
Is it the right size?
Have you built value into it?
Is it well organized and navigable?
Do you engage in Change Management?
Do have a Quality Manual and have you used it to develop your procedures?
A QSIT checklist
The firm must have a written quality policy. (The definition of “quality policy” is provided in the Quality System Regulation. It means the overall intentions and directions of an organization with respect to quality.)
The firm is responsible for establishing a clear quality policy with achievable objectives then translating the objectives into actual methods and procedures.
Management with executive responsibility (i.e., has the authority to establish and make changes to the company quality policy) must assure the policy and objectives are understood and implemented at all levels of their organization.
The policy does not need to be extensive.
Personnel are not required to be able to recite the policy but they should be familiar with it and know where to obtain it.
EC 62304 is a functional safety standard that covers safe design and maintenance of software. It provides processes, activities, and tasks to ensure safety. It applies to the development and maintenance of medical device software when the software is itself a medical device.
IEC 62304 defines software lifecycle processes for medical device software.
Regulatory practitioners understand that the FDA sees this as a consensus standard.
IEC 62304 alignment with 820: 12 areas of focus
Quality Management System
Risk Management Process
Software safety classification (A, B, or C)
Software development plan – SDLC model
Software integration and integration testing planning
Problem Report — a record of the actual or potential behavior of a software device
Software System — inputs and outputs
Software Maintenence process
Change Control process
Software Product Problem Report
Feedback from a user or other interested person who believes a software product to be unsafe, inappropriate for the intended use to contrary to the specification
Warning letter breakdown:
Large medical device manufacturer is cited for failing to investigate over 800 complaints of defective components (plus CAPA and MDR problems)
You failed to review, evaluate, and investigate complaints involving the possible failure of a device to meet any of its specifications, as required by 21 CFR 820.198(c).
a. Your firm failed to investigate over 800 complaints of defective black retainer rings. In June 2016, your firm initiated CAPA (b)(4)#299677 to address an increase in complaints of damaged retainer rings in the MiniMed 600 Series Insulin Infusion Pumps; as part of the CAPA investigation, your firm determined the retainer ring required re-design, and you changed the retainer ring from a clear (b)(4) ring to a black (b)(4) ring. You began releasing the re-designed pump with black retainer ring in August 2019, and you closed CAPA (b)(4)#299677 as effective October 2020. From December 2019 to May 2021, you received 887 complaints of defective black retainer rings; in 772 of the 887 complaints your firm referenced CAPA (b)(4)#299677 as the “Formal Investigation Reference Number” even though this CAPA was an investigation of the previous clear retainer ring design. For example:
i. On January 21, 2020, you received a complaint (CASE-2020-00056605) from a customer reporting a crack on their insulin pump reservoir compartment, and damage to the retainer ring. Your product analysis on the returned device confirmed the device had a “partially broken retainer, cracked reservoir tube lip, missing reservoir tube lip O-ring, and broken reservoir tube lip.” On April 24, 2020, you determined no formal investigation was necessary due to existing/previous formal investigation and referenced CAPA (b)(4)#299677. You closed this complaint on April 24, 2020.
ii. On February 20, 2020, you received a complaint (CASE-2020-00139368) from a customer reporting they experience hyperglycemia, with blood glucose levels of 450 mg/dL. The customer stated that the lip ring was missing. Your product analysis on the returned device confirmed the device was missing the reservoir retainer ring and the reservoir tube lip O-ring, and the reservoir would not stay locked in place due to the missing retainer. On May 8, 2020, you determined no formal investigation was necessary due to existing/previous formal investigation and referenced CAPA (b)(4)#299677. You closed this complaint on May 8, 2020.
iii. On April 7, 2020, you received a complaint (CASE-2020-00260639) from a customer experiencing a high blood glucose level of 434 mg/dL. The customer reported that the retainer ring was loose, and the reservoir did not lock into place when inserted into the pump. Your product analysis on the returned device confirmed a broken retainer and missing reservoir tube O- ring, and the reservoir did not lock into place. On June 5, 2020, you determined no formal investigation was necessary due to existing/previous formal investigation and referenced CAPA (b)(4)#299677. You closed this complaint on June 6, 2020.
Some companies misunderstand regulations and how to comply with them. Also, they fail to understand what is expected from them in terms of what needs to have written evidence and what doesn’t.
Here’s a huge piece of advice: “If there is no written evidence of it happening, it NEVER happened.” In addition, more likely than not, always make conservative decisions when it comes to data supporting the form, fit, and function of your final product. It’s helpful to periodically review citations and warning letters from the industry to learn from other companies’ shortcomings and to better understand expectations.
Quality teams should put themselves in the situations that lead to these and do an introspective analysis of their company’s Quality Systems to make sure they are not the next warning letter holder. In this way, they are taking a preventative approach and making sure they institute a culture of continuous improvement and active prevention.
In this case, the company “did not identify the actions needed to control devices already in distribution” after manufacturing issues were identified.
The company initiated corrective and preventative actions in June 2016 after customer complaints increased, but a recall was not initiated until November 2019 after the company continued to receive retainer ring complaints.
The company did not originally pull devices from the market because they determined that “the risk of serious adverse health consequences was ‘improbable,’” according to the FDA. But the agency disagreed with the company’s assessment.
According to FDA, after the company’s update to the FDA, there were still 38 corrective and preventative actions that required “remediation and/or clarification” and 14 corrective and preventative actions “requiring a new complaint monitoring plan.
FDA: “In summary, your corrective actions are still in process, and you have not yet conducted effectiveness checks to ensure the updated procedures and required employee training will prevent reoccurrence of the identified deficiencies.”
Three complaint handling tips from The FDA Group’s Alan Greathouse:
1. Review and document your field service program consistently and completely.
“A lot of companies should look at their field service program—how that’s documented, where it’s documented, and the accuracy of that system. You have to be extremely careful about what your technicians in the field are documenting. What happens is, you attach those service records, or the SAP entry, or whatever the case may be, but the documentation practices change when it gets back to the group. I’ve seen companies get themselves in a world of hurt here. For example, the auditor picks up some complaints, finds that they’re incomplete (they don’t include the SAP number, or the field service record number, for instance) so they say, ‘well, we want to see them.’ Now it takes take a day and a half just to find them. Then they come back and say, ‘well, this is inadequate or insufficient, let me see some more.’ This is not a good situation to find yourself in.”
2. Properly assess, investigate, and handle returned goods.
“Another area companies may not realize they have an issue in is their returned goods area. Any time goods are returned, they need to be quarantined and held in a separate area. Oftentimes, they get returned, and then they just ‘hang out’ somewhere. Look into that area and how it’s managed. Also, look into the disposition of those returned goods. How does that process work? After a product is returned it has to be assessed or inspected and then dispositioned. Is it scrap? Can you rework it? Is it completely fine?”
3. Look for other issues if problems aren’t observed.
“Sometimes customers file a complaint, products get returned, and there’s nothing wrong with them. They might not have known how to work it due to poor instructions for use. That’s something you may not realize is a problem until you start looking at postmarket surveillance. Say you’re working on an injection pump and you start getting a lot of complaints citing faulty equipment. But you’re getting equipment back and the engineer’s finding there’s nothing wrong with it. This is when you should start looking for poor processes or a lacking IFU.”
White Paper (PDF): The Complete Guide to Root Cause Analysis & CAPA
White Paper (PDF): Clearing Complaint Backlogs: A Guide to Efficient Complaint Management
In other industry news…
A report from Hyman, Phelps & McNamara observes that the FDA appears to have initiated a widespread resumption of in-person inspections.
A brief from MedTechDivce reports that medical device recalls surged in the first quarter of 2022. “The analysis showed mislabeling was the No. 1 reason for recalls for the second consecutive quarter. Until the last six months, software issues typically spurred most recalls.”
A new medical device cybersecurity bill is being introduced in the Senate that, if passed into law, would impose requirements on the FDA to work with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to issue binding guidance for industry and FDA staff regarding medical device cybersecurity no less than every two years.
A report from the U.S. Government Accountability Office presents seven open recommendations for the FDA.
FDA is hosting an upcoming workshop (July 19-20) on CDER inspections of GLPs and study sites.
A LinkedIn post from one of CDRH’s Joshua Silverstein, a longtime regulatory policy advisor, has left the agency for the private sector.
Two companion articles (here and here) from Biocentury’s Washington Editor, Steve Usdin explore the challenges the FDA faces as it considers an overhaul of its Advisory Committee system. “Meetings rarely produce valuable advice and all too often they disrupt rather than illuminate the path from science to medicine.”
European regulators published a Q&A document that they hope will give more clarity on how complex clinical trials should be conducted. The document aims to answer some basic questions, such as what to consider in the planning and conduct of CCTs, how to justify Bayesian approaches to regulators, and how to use biomarkers.
FDA held a recent advisory committee meeting to assess four ingredients and whether they may be compounded in bulk. The recording is available in full on YouTube.
The FDA recently added a new capability to its National Drug Code Directory: The ability to search for compounded drug products made by “outsourcing” facilities.
A special thanks to this issue’s contributors:
Neil Siegel, Ph.D. — Neal is an industry Quality/Regulatory consultant (IVD/Med Device/Pharma) with 25+ years of experience and a particular interest in quality statistics and their understandable, practical application in instances of compliance shortcomings. He has extensive, successful experience from lab bench to C-suite and welcomes opportunities to mentor and teach sustainable skills for the industry. Neal has participated in assessment and remediation teams for companies with severe Warning Letters and Consent Decrees and is knowledgeable in successful recovery from these types of regulatory actions.
Mike Birochak — Mike is an experienced Senior Automation Engineer with a demonstrated history of working in the pharmaceutical and biotechnology industry. His skills lie in the design, programming, and validation of Process Control Systems, Emerson DeltaV, Allen Bradley, SCADA, HMIs, Werum PAS|X MES, and laboratory systems. Mike has performed various regulatory compliance audits, including SDLC, QMS, Part 11 ER/ES, etc. He’s a licensed RF Engineer, ASQ Certified Quality Engineer, and ASQ Certified Software Quality Engineer.
Jessica Santos — Sr. Compliance & Quality Consultant/Subject Matter Expert
Alan Greathouse — Sr. Director of Quality and Service Assurance, The FDA Group
Interested in working with any of these consultants or others like them? Drop us a line on our contact page.
Who is The FDA Group?
The FDA Group helps life science organizations rapidly access the industry's best consultants, contractors, and candidates. Our resources assist in every stage of the product lifecycle, from clinical development to commercialization, with a focus on Quality Assurance, Regulatory Affairs, and Clinical Operations.
With 2,000 resources worldwide, over 175 of whom are former FDA, we meet your precise resourcing needs through a fast, convenient talent selection process supported by a Total Quality Guarantee.
We believe pharmaceutical, device, and biologic companies deserve a resourcing partner that lives and breathes life science.
We are that partner. We help thousands of firms, including 17 of the top 25 global pharmaceutical, biotech, and medical device companies, find the resources they need, when and where they need them, through the optimal workforce model. We provide service and support via three engagement models: Consulting Projects, Staff Augmentation, and FTE Recruitment.
Our resources are located in 47 countries and have expertise throughout the life sciences.
Join the thousands of life science companies executing their projects with The FDA Group.
Get direct access to the specialized life science talent you need to bring products to market and keep them there. Whether you’re looking for consulting or project support, full-time contract, contract-to-hire, or direct-hire talent, we rapidly identify the right resource, the first time. Contact us to get the conversation started.