Compliance Architects

Consulting Technology Outsourcing

A Low Cost, Seven-Step Approach to Reducing FDA Enforcement Risk

audits

|

A Low Cost, Seven-Step Approach to Reducing FDA Enforcement Risk

August: normally full of summer… sun, sand and surf. As the song goes, “summertime and the living is easy…”

In 2020, COVID-19 — and more recently its Delta variant — wreaked havoc on an orderly return to business as usual.

But recently progress has been made as the FDA said they have resumed some of its foreign inspectional activities and has begun transitioning to its standard operations for domestic inspections.

My hope is that all of you involved in quality and compliance are enjoying some time off with friends and/or family and getting a chance to read a good book on a quiet beach somewhere.

But be forewarned, the FDA does not appear to be taking any enforcement vacations. Companies need to remain vigilant reducing enforcement risk for the remainder of the Summer and Fall. In keeping with the season, this posting is going to be light, relatively short, and easy on the eyes. But, don’t underestimate what I’m about to tell you. The following can be a roadmap for significant risk-reduction within your operation, and you don’t have to spend one thin dime to accomplish any of this.

So let’s get started.

Initially, enforcement risk reduction is largely a matter of focus. Reducing risk prospectively is a project, and in my strong opinion, should not be considered part of “base business” operations. Organizations are generally staffed to manage base business, not to develop new or fix broken systems. That said, you can achieve such focus with the following.

Step 1: Create a three-month, strict timeframe for an enforcement risk reduction project. Why three months? Well, for one thing, it’s a manageable timeframe – it is short enough to be real. Also, three months puts pressure – and focus (which is what you want) – on your team to deliver.

Step 2: Prepare to get things done. If you’ve got a staff of 20 people that are already overworked, you can’t just add more work to their plate. You have to eliminate low-value work items to free staff up for a big project push. There’s no magic here – even the best people need to go home and relax after a hard day’s work – and therefore, to focus on enforcement risk reduction, you will likely have to eliminate some other activities for the three month period. Get your staff together for one-hour and go through and ask them what activities should be put on hold for three months so that you can achieve focus. In all likelihood, you’ll get an earful from them.

Step 3: Turn your staff into a project-based team. There is a big difference in how people work on routine, base-business business responsibilities, as distinguished from tight, project-focused, project-managed activities. I personally believe that humans are “hard-wired” for project type work: cross the river; hunt the animal; build the shelter; plant the crops. By turning your workforce from a “staff” into a focused “project team” you immediately convert passive content consumers into active content producers.

Make sure you appoint a project lead (project manager) and decompose the project sufficiently to make it manageable. Make sure the project lead is a “can-do” type of individual that will not only get things done, but will make sure that the other people with task responsibilities get their things done!

Step 4: Conduct a hyper-critical assessment (deep dive) of your operation. The objective here is to not provide a report for management to beat anyone up with. The objective here is to quickly, and without attribution of fault, figure out where there is risk in your operation. I would suggest that no names be included with the report, and perhaps, the report should not even be published or circulated. The report should only be used as the basis for an aggressive project remediation plan.

Step 5: Review/Analyze/Triage. Get together with your quality and compliance team in a conference room with multiple stacks of Post-It Notes, flipcharts and markers. Take each of the findings / risk areas from Step 4 and for each finding, identify the level of risk exposure from the finding (high, medium, low) and what specific actions and resulting deliverables can be taken to reduce or mitigate the risk within a finite 90 day window. It is essential that you focus on activities that can be completed within the 90-day window. Capture everything, but if it’s a longer-term remediation project, analyze it separately, after the fact.

After you prioritize the risk exposure, re-prioritize within each classification of risk exposure to get a prioritized list of activities that needs completion within the 90 day window.

Step 6: Plan. Project management should be a core skill of any quality, regulatory or operations professional but unfortunately, it often isn’t. A checklist or to-do list is not a plan – plans are documents that provide a roadmap – with details, resources, explanations, etc., of how you are going to get from Point A (in this case a list of things that need completing) to Point B (a list of things that are completed).

The project leader you appoint (with overall responsibility for project timing and commitments) should develop a fully-resourced project plan with realistic completion deadlines, identified predecessor tasks, and containing the prioritized list of items you identified as necessary to drive down enforcement risk. Ensure supporting documents exist to help project members understand the project purpose, governance, support structure, etc.

Step 7: Execute. No matter how well you plan, if you don’t execute, everything up to this point has been for nothing. Good execution is hard – people need to focus on completing activities within pre-defined timeframes. If they run into problems, make sure they ask for help. I once worked for a company that told me that one of the few things that would simply be considered unacceptable was failing to ask for help if I needed it.

Track progress closely; meet regularly and update status; update project plans (and GANTT charts if you have them); identify task delays that disrupt the critical path; communicate regularly and consistently. By ensuring you execute strictly to plan, you will walk away in 90 days with a huge level of progress, and will have reduced substantial risk.

Enforcement risk reduction is hard work. Systems need to be remediated; documents rewritten; training conducted; procedures redeveloped; stories developed; gaps plugged. All this work is generally above and beyond the role of base business personnel. By providing focus, project-based approaches, and good project execution discipline, however, your organization can begin to reduce enforcement risk without a great deal of expenditure.

Enjoy the rest of the Summer!

Interview: FDA Inspection Readiness

 

Business Intelligence Solutions Interview

with Jack Garvey

FDA INSPECTION READINESS

 

March 2010

What are the biggest issues currently facing FDA-regulated companies when it comes to FDA inspections?

FDA regulated companies are currently dealing with a multitude of challenges.  Initially, companies have been aware of the reduction in FDA enforcement rigor that has occurred over the last 8 to 10 years, and many companies have, as a result, let their guard down with respect to FDA inspection readiness.   Also, as result of significant economic challenges, companies have had to do more with less.   Since companies had been observing that their overall enforcement risk had been reduced, there was no real incentive to ensure robust quality and compliance programs and as a result, quality and compliance staffing has often been either frozen, or reduced.   I’m aware of one leading pharmaceutical / medical device manufacturing company that eliminated a significant portion of its corporate quality and compliance oversight function a few years ago, and, not surprisingly, is now experiencing problems within the organization.    Unfortunately, when times are tough, executives often look at the cost of these functions, and fail to remember how important the quality and compliance roles are to ensure companies aren’t devastated by an adverse legal / regulatory enforcement action.

As a result of the new FDA Commissioner, Margaret Hamburg, are you seeing an increase in inspection intensity and frequency?

FDA has, as most people know, been slowly increasing the quantity, intensity, an overall rigor of its inspection activities with respect to FDA regulated companies.  In August of last year, FDA commissioner Hamburg outlined in the first Commissioner’s speech to deal exclusively with enforcement, FDA’s new approach to aggressive enforcement activities, and their desire to “streamline” the enforcement process.   So far, it appears that enforcement activity is increasing slowly, but steadily.   It is likely that the Obama administration has so many issues on its plate that FDA enforcement, and product safety, have not yet received the attention that they would have under normal circumstances.   I would expect that eventually, significant attention will be placed on supply chain security and product safety, and inspection and enforcement action will increase substantially.

What are the areas and issues that are creating the most risk for companies in the current environment?

There are many, many issues that are currently of concern for FDA-regulated companies, and that create real risk.   Initially, despite years of clear knowledge of FDA regulations and expectations, many companies have simply not fully implemented robust quality and compliance systems.   I find that many companies  just don’t know what they don’t know.   They are under the assumption that their systems are fine, and that things are “in control”, when nothing could be further from the truth.   These companies are the ones at most risk from the increasing level of FDA enforcement.   Even if FDA does not increase the level of intensity and quantity of inspections , it is already far less cooperative with companies that just “don’t get it” and/or that have a history and track record of substandard compliance activities.

For companies that have generally embraced proper approaches to compliance and quality management over the years, the traditional areas of concern will continue to be areas of intense scrutiny by the FDA.    Perennial favorite CAPA can most assuredly be considered one of the most important quality subsystems to have fully prepared (and objectively assessed) before getting a review during an FDA inspection.   FDA’s focus on external supply chain security, and offshore and outsourced operations, place companies that perform much of their operations through third parties at an increased risk.   These companies must have a robust oversight program in place to ensure that the company is fully aware of the actions of their third-party provider, and that all the requirements and responsibilities (including controlled change, investigations, etc.) of the provider are being executed.    Finally, companies can expect FDA to review your process/product knowledge (or characterization) and how this knowledge is being used to drive proper CAPA investigations, recall decisions, change management, validation, and the design of your process control frameworks.

 

In light of the foregoing, what would you recommend companies do to prepare for their next FDA inspection?

Since companies within the US are subject to FDA inspections without notice (even though they generally follow a rough anticipated schedule), they need to be what I call “ever ready” for an FDA inspection.   This state of readiness ensures that a company can quickly mobilize when an FDA Investigator walks through the door, and that they can readily provide access to, and explain their systems, procedures, practices, products and quality records that the FDA will be looking for.   Also, this state of readiness should be reinforced by company executive management through periodic walkthroughs with knowledgeable individuals.   The benefit of this is that with a little effort, it can show that the executives team is committed to a high state of readiness and the importance of excellent inspection outcomes.

Companies outside the US are somewhat more fortunate since they receive prior notice prior of the occurrence of an FDA inspection.   However, these companies shouldn’t become too complacent – there is often far too much work and change to get done within the typical month between notice and inspection to truly prevent significant inspection observations.

As part of an “ever ready” approach to inspection readiness, companies should have a number of things “in place” at all times (at a minimum) ready to review with an Investigator when they walk in the door.    These include:

  • A copy of their inspection procedure(s);
  • A binder of their Quality Manual (or equivalent) and an index of their Policies, SOPs, Work Instructions, Guidances, Standards and / or other documents that comprise their quality system documentation;
  • An “introductory presentation” about the company, its products, the site, the manufacturing areas, the leadership team, and the processes the Investigator will be looking at;
  • A binder of at least five complete years of regulatory inspection documentations, including 483s (if any), EIRs, Warning Letters (if any), full responses to 483s and Warning Letters, and a complete index of commitments and documentation of commitment completion.

There are many, many more things that a company can do to prepare for the inevitable inspection, including performing CAPA record reviews, process control plans, and develop advocacy-based messaging to substantiate quality system decision making.     As the saying goes, “in time of peace, prepare for war,” and nothing could be more relevant today for FDA-regulated companies.

For further information on FDA Inspection Readiness, contact Jack Garvey at john.garvey@compliancearchitects.com, or call 888-734-9778.

Regulatory Alert: New FDA Proposed Rule — Sponsor Reporting of Falsified Data

Today the FDA has published a proposed rule in the Federal Register (75 FR 33 at 7412, 2/19/10) that will require sponsors (and defining petitioners under food/supplement submission rules as sponsors) to report to FDA any instance of falsified data that the sponsor company identifies within a proposed or current human or animal study in support of pharmaceutical, medical device,  food, color additives, or dietary supplement approvals or clearances.    The rule is broad in scope, and is intended to drive down instances of falsified data contained within product approval or clearance submissions to FDA.   The FDA’s intent is to prevent “ambiguity in the current reporting scheme” that has caused confusion among sponsors and to “help ensure the validity of data that the agency receives in support of applications and petitions for FDA product approvals and authorization of certain labeling claims and to protect research subjects.”

Initial Analysis: This rule will effectively require the tactical  implementation of certain compliance program elements within the oversight framework for human and animal studies.   At a minimum, it should require additional training on the rule, and expectations regarding the prohibition of falsification of data under any circumstances.  It should also lead to incorporation of personal certifications of data integrity on data submission, and individual acknowledgment of penalties for falsification of data.

Audits, Assessments & Corporate Compliance Investigations

Although audits, assessments and corporate compliance investigations are not something most executives get excited about, they are critical to ensuring your FDA-regulated business is ready for any and all types of review by the FDA, Department of Justice or other regulator.  Audits, Assessments, Corporate Compliance Investigations and (one additional item) Mock Inspections are generally defined as follows:

  • Audit: A formal, often-privileged, structured, in-depth review of a company’s regulated operation for the purpose of determining deficiencies and deviations from established and understood regulatory standards. Audits are often “scored” for purposes of determining performance of an operation against accepted standards.
  • Assessment: A formal, not-privileged, and loosely structured review of a company’s regulated operation for purposes of determining issues, deviations from regulatory standards, opportunities for improvement, best practices and readiness for audit or inspection.
  • Corporate Compliance Investigation: A for-cause investigation, generally performed at the direction of the Company CEO, General Counsel, or Chief Compliance Officer, possibly subject to privilege if authorized and executed properly, and focused on confirming, or disproving, allegations of illegal conduct or violations of a company’s code of conduct, procedures, policies or other mandates. Corporate compliance investigations must conform to the highest standards of critical review to ensure discretion, confidentiality, comprehensive assessment and legal analysis are performed properly.
  • Mock Inspection: An audit performed by someone posing as an FDA Investigator for the purposes of determining operational readiness for a real FDA or other health authority inspection. Mock Inspections are both a readiness and training tool and provide significant value to an organization when performed properly.

Each of the foregoing can vary in intensity and rigor in accordance with the needs of the organization. Depending on the amount of time spent, each of these can be more or less rigorous (and correspondingly more or less expensive) depending on what level of risk and confidence each organization possesses.

For small and medium-size organizations seeking to proactively assess compliance, Compliance Architects® recommends a three-day review activity. For medium to large size organizations seeking to proactively assess compliance, we recommend a week to two-week review activity. Where corporate compliance investigations are indicated, specialized planning and cooperation with the Chief Executive and counsel are typically indicated.

For additional information on audits, assessments and investigations, contact Jack Garvey at john.garvey@compliancearchitects.com, or visit:  www.compliancearchitects.com

Contact Us Today