The Calcott Consulting Blog:

   Articles on GMP:


Risk management – it does not have to be complicated

October 18th, 2011 by

At a course I was recently teaching at the University of California, Berkeley on Biotech Pharmaceutical Quality and Compliance, the topic of how to implement the ICH Q9 was brought up.  One attendee indicated that his company had tried to implement it and had run into trouble.  They had set up a Quality Risk Management (QRM) department and it just appeared that all they had done was create another function that had to review all work, SOP’s and reports.  It was like a further level of QA.  Processes were operating even slower than normal and it appeared the amount of work had mushroomed.  He indicated that in the presentation, I made it seem so easy.  he posed the question:

Where had we gone wrong? And was it to late to get back on the right path?

In reality, I find many companies that implement QRM do make it too complicated.  It should not be a separate department but rather the tools should be incorporated into your everyday processes so that simply there is just a further step in your pre-existing processes.  These processes could be change control, investigations, CAPA, complaints, environmental monitoring, testing schedules, raw materials programs, vendor qualification.  You get the picture.  Put it where it adds value.

I am reminded of one of the first times I heard an FDA’er articulate on QRM.  A few years ago (quite a few actually) I was at a conference where an FDA’er was describing Quality Risk Management (QRM) and their expectations.  It was a few months after the ICH Q9 was issued.  the speaker described agency expectations and since I knew him very well (having had lunch and a few beers socially), I approached him and indicated that I thought what he was describing was already in place in most progressive companies.

He replied:

You are right, it is.

I continued:

So what is different now?

He replied:

The agency just wants it to become second nature and get it integrated formally into your processes and, of course, document decisions and assumptions.

That was one of the most valuable set of comments I have received on the topic.

So I recommend that when making QRM mainstream, you need to do the following:

  1. Learn the tools and examples of where it can fit in.  There are many webinars out there offering the know how.  Tungsten Shield does offer some good ones on this and other topics.
  2. Examine all your business processes and incorporate QRM steps into the process that exists.  Try one first and slowly roll out across the other processes.  Change Control is an excellent one to start on.
  3. Examine after a period of time to see what works and what does not.  With QRM you have begun continuous improvement so expect changes over time as your skill increases and you find out how the company likes to operate.
  4. Remember to document all your decisions and most importantly assumptions.  Be prepared to go back if your assumptions are found to be wrong or new information  surfaces.
  5. Do not fall into the trap of setting up a QRM department or you will be mired in bureaucracy.

And, most importantly, enjoy what you are doing.

Are SOP’s Your Problem?

September 23rd, 2011 by

I am intrigued by certain webinar companies that appear to spend a fortune on advertising.  You’ve seen their emails and half page ads. They go like this.

What’s the one thing that you can control that is a disaster waiting to happen?  Those piles  of SOP’s fresh off the press that nobody knows what to do with.  Bullet proof your procedures.

You’ve seen the adverts. If only life were that simple.

Actually, writing SOP’s is a relatively easy job if you go about it the right way.

Rolling them out is also simple, again if you do it the right way.  We will talk about these two parts later.

It’s not as if perfect SOP’s are needed and that rolling them out must be done perfectly.

I have audited organisations that had pretty poor but acceptable SOP’s with training programs that are uninspiring and yet these organisation operate in compliance.  Are they efficient  – NO?  Do you want to use their SOP’s and training programs – NO?  But they work and the companies stay out of trouble.

Actually the 800-pound gorilla in the room is really management involvement and support for the principles of compliance which includes following SOP’s and actively training staff.

How can you detect this problem?  It is often detected by looking at regulatory citations and/or audit findings.  Look for those observations that are made with CAPA’s that never seem to prevent recurrences.  Look for repeat observations.  Now look at the CAPA’s.  How many call for a rewrite of one or more SOP’s?  How many call for retraining?

As I always say in my class, if SOP rewrite was the right solution, how come we are so bad at doing it that we have to keep rewriting them?   Time and time again. And the problem does not go away.  Are these rewrites so bad or are we tying to correct the wrong thing?

If training and its roll out was the key issue, how many times do you retrain Bill on the procedure and he just does not seem to get it, before you say that there must be another issue here?

At some point, step back and ask the question, how come these rewrites and retraining do not solve the problem?  The answer is closer than you think.  It is the culture in your organisation.  It is a difficult message to deliver and to receive.  But, as my father used to say, understanding you have a problem is half way to solving it.

Do you allow non-compliance with your SOP’s?  Are they optional in your programs?

The answer to all these issues is to do the following:

1.) Before you write an SOP or review it for rewrite, ask the question of whether the effort is worth your time.  Is there an SOP already in place?  If not, do you really need another?  Only then consider rewriting or producing an SOP.

2.) Make sure you get subject matter experts involved in the writing or at least defining content.

3.) Make sure all stakeholders are involved in reviewing the draft SOP.  Does that mean they all approve it?  NO.  There is an owner and QA who need to approve an SOP.  Perhaps 1 or 2 others, but rarely more, are required.  Too many approvers mean things get log jammed.

4.)  Communicate the new SOP before it goes live so that involved parties can assess and train as appropriate.

5.)   Training does not have to be complicated.  It may mean simply reading and  acknowledging you understand it.

6.)  Give the organisation enough time between issuance and go live.

7.)  Document all activities.

Now the biggy.  Make following SOP’s a requirement for continued employment.  Follow them yourself.  Nothing spells disaster more than a boss that is above SOP’s.  If you do not set an example for following them, you are setting an example that they are optional.

What does a Quality or technical agreement have to contain?

September 19th, 2011 by

I was on a panel discussion on Contract Manufacturing in Berlin this last week and the topic of Quality or Technical Agreements produced a vigorous debate. While everybody agreed that the requirements for the documents are codified in the EU by regulations, the FDA does not directly require them by law. However, as most know, if you do not have them in place, you will get a tough time at inspection to assure that you have appropriate oversight of your Contract Manufacturer (CMO).

So what should you have in the document and how should it be controlled?

Firstly, essentially everybody at the session was adamant that the document was one whose purpose was to define expectations between both parties. Again essentially all believed it was a document written by the Quality group to define the quality expectations, obviously involving other disciplines eg, manufacturing, logistics etc for input.

However, who should have control of the document split the group into two camps. The majority believed, that these parties alone needed to review and approve the document. A small minority (including the only lawyer present) believed it should be approved by the legal function, and be formatted by legal. I tend to believe that the value of legal should be advisory in the preparation to assure that no landmines or bombshells are present.

However, it is a document used by both quality and other technical functions. As such it needs to be written in real language that is understood by the doers. So in my experience, I have involved the legal department for advice, which I do take seriously. But I do not let it get hung up in the legal department in their processes which tend to take extraordinarily long timeframes to complete. Usually, I give then a week or so to review with the comment that no communication by the end of the week indicates no problems found. Of course, I do not wait until the department is involved and tied up in some busy critical project or most are on holiday. Rather I plan ahead giving them a heads up that one is coming along. In other words, I play a balanced hand but do not let them become either the gatekeeper or the bottleneck.

That said: what should it contain? The simple answer is “everything that appears relevant”.

Clearly, define the product(s) and steps in manufacture that are covered by the relationship and the markets that will be supplied. This is to assure that the correct GMP’s will be applied.

With this as a preamble, go through each of the quality systems, to assign responsibility to assure who will do what is clearly defined. In some cases, one party will be responsible for all activities. But in most cases while one party will be responsible for most, the other party will play a role even if it is simply to be informed of the result.

So why am I not describing who is responsible, system-by-system? It is because there is no set pattern and it must be defined for your particular circumstance. Who does what is determined by who has the expertise and the risk level you are prepared to tolerate.

One mistake people make is to assume that if I am outsourcing the physical manufacture, I can also outsource the responsibility and the accountability. Truly delegate as much as you can to your CMO. You are paying a highly experienced entity: so use them. However at the end if the day you are responsible for the activities at the CMO. Make sure you are involved in change control, lot disposition, investigations (major or critical), just to name a few.

Communication is critical. Define the who, when, what, where and why. Make sure the contacts are clear to both parties and their communication channels are open. In the world of improved e-communication, while email is exceedingly good, there are times when face to face is critical. Frequency of meetings and reports are important to build expectations. Clearly defined mechanism prevent the data overload of random people called random people in the other company.

Sometimes things go wrong and an audit is need for cause. Define the routine and non routine so it is clear when you can go. Include in that you can use consultants to audit. Put in a section on what to do when you butt heads. You hope you ever need it but if you do, you have it spelled out.

Change controls can be simple for small plant-only activities. It can be more complex if it results in a submission. In the latter cases, make sure you are an active player. Make sure you keep up to date so you can submit supplements quickly and on time. You are releasing product to market, so you must be involved in the operations. You need to know all the issues with the lot and make sure the contractor communicates to you when things go wrong. Definitely be fully aware of all critical deviations or discrepancies including OOS’s.

In general terms, activities that are truly plant specific can be delegated to the CMO with you having the option of auditing periodically or receiving monthly reports. For product specific activities, I recommend you taking a leadership role approving all activities. This applies to validation in particular.

I periodically present webinars on this and other topics in conjunction with Tungsten Shield. Of course a 2 hour webinar will cover much more detail that that described here. Check out their site for upcoming webinars I will be presenting.

So when do you start Quality by Design?

September 12th, 2011 by

After participating on a panel discussion at an IBC conference on Quality by Design (QbD) and the new Process Validation guidance issued earlier this year by FDA, I was approached by a process development scientist who asked my advise on the value of implementing  QbD in their company.

He explained that his company was extremely small and did not have a a large number of staff in his discipline or even other related ones such as quality and manufacturing.  In fact, he indicated that the clinical manufacture would be 100% outsourced. However, they were entering phase 1 soon and he was afraid to miss the opportunity to incorporate this new approach into their process development activity.

Over the next 20 minutes of discussion, the following points were raised which led to the following conclusions:

1.)  He was using a platform technology for the process to make clinical materials.
This platform would not be the process that they would commercialise by.  Therefore spending a lot of resources homing in on the role of inputs (raw materials), control points and control strategies did not make sense at this stage.  However, developing a set of critical quality attributes for the product did.  This would serve as a spring board
as they begin to develop their phase 3 process which would be the commercial one later in the cycle.  This commercial process may not look at all like the early clinical stage product.

2.)  These critical quality attributes would be important to have as early as possible for the drug product and the active pharmaceutical ingredient at least. This was particularly true for the biological product they were developing and would also be applicable to small molecular weight products as well.

This gave him quite a bit of relief that he had some time to work through the details before rushing headlong into the activity.

There was a question I posed to him that got him thinking and that was. “You are working for small company, highly outsourced.  Is you business model to take this product to market yourself or with a partner?  Or perhaps to get Phase 1/2 data and sell the product to a big Pharma?”

He responded “Why would it matter?”

“Because if you take it to market with or without a partner, you will need to begin the work on QbD as soon as you start the Phase 3 process development.  If you plan to sell it, the buyer will want to develop the process and they will do the QbD.  Any Phase 3 process work you do may not be valued by the buyer as much as the product, so your ROI on this work may not be as much as that for the product.”

So the take home messages are:  know your business model for your company and be sure to consider the ROI on the work you put into your product and processes.

Compendial Methods Need To Be Qualified

September 12th, 2011 by

During a recent class I taught at University of California, Berkeley in their Quality and Compliance postgraduate certificate program, a question came up from one of the attendees that mirrored very closely observations I have made in audits over the years. And that question was “do we have to validate compendial methods we use in testing our commercial products?”

That question is, on the surface, very simple. And the answer is no. Neither the FDA nor the EMA requires us to validate compendial tests that we use with our products. But the answer actually has another layer to it which people do not venture too often to address.

While we do not have to validate a compendial method we use with our products, we must demonstrate that it works for the application with our product. ICH Q7 describes in section 12.80, this point clearly.

Analytical methods should be validated unless the method employed is included in the relevant pharmacopoeia or other recognised standard reference. The suitability of all testing methods used should nonetheless be verified under actual conditions of use and documented

Thus it is clear that while formal validation is not required, we must demonstrate that it works for our product for the intended purpose. This is very clearly shown in the original form 483 issued to Chiron Corporation for their flu vaccine product plant in UK in October 2004 that resulted in issuance of a warning letter in December 2004. They were cited for a lack of data to support the use of the USP sterility test for their product. Their response was clearly adequate since it was not cited in the warning letter. This action took them off the market in the 2004 flu season for their flu vaccine product

Many times on audit I have reviewed specifications and seen that compendial methods are used for a variety of tests including sterility, endotoxin, particulates and others. My first question is usually to ask for the data to support use of the method for their product. At least 9 out of 10 times, I get blank stares followed by the statement, “we don’t have to validate compendial methods!” I agree with them but follow on with the statement, “I know, but where is the data to support usage of the method?” They often look puzzled still but cannot provide any data. Too often, I believe, the first sentence of the ICH Q7 document is read but the second missed.

What do you have to do the “qualify” it? I recommend a simple qualification plan – rather like a validation protocol – with a testing plan to check the key parameters of the assay such as accuracy, precision, specificity and ruggedness, including interferences. That sounds like a validation and it is: but an abbreviated one touching only on the parameters of issues that make your product unique or challenging.