September 2, 2014

FDA Shows More Flair in Latest 483 Round-up

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

The latest batch of 483s issued by the FDA shows a bit more variety than the last few we’ve reviewed.  We’ve noted in many earlier 483 review reports that the agency has been consistently fixated on corrective and preventative action (CAPA) programs. And there was some of that in this new group.

However, we found more variation here than we’ve seen in many moons.

For example, a December inspection of Stingray Surgical Products in Boca Raton, FL resulted in an interesting 483 for the manufacturer. Specifically, FDA inspectors found “a process whose results cannot be fully verified by subsequent inspection and test has not been adequately validated according to established procedures.”

FDA also hit Stingray for not having “any requirements (only preferences) for purchasing control of components which do not contact the patient.”

Stingray was also found wanting in its design risk analysis program.

warning640Back in California, an October – November inspection of Ra Medical Systems faulted the company for not reviewing design output before release. Also, inspectors issued a 483 because “the acceptance status of product was not identified to indicate conformance or nonconformance with accepted criteria.”

Going farther afield, an October inspection of Karl Storz Video Endoscopy Estonia Ou did find a number of problems with our old CAPA friend at their operation.

Even there, the device maker was also cited for inadequate quality audit procedures, control product not meeting specified requirements, and document control procedures.

Have you sensed a different vibe from inspectors during any recent inspections at your shop? We’d love to hear your story. Anonymously, of course. Drop us a private email at blog@assurx.com.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Part 2: Cloud Vendor Selection for Your Life Science Company – Strategies to Ensure Benefits and Mitigate Risk

Russ King, Managing Partner, Methodsense

Know your Cloud options

Cloud computing is defined to have several deployment models, each of which provides distinct trade-offs which are migrating applications to a cloud environment.  NIST defines the cloud deployment models as follows:

  • Private cloud: The cloud infrastructure is operated solely for an organization.  It may be managed by the organization or a third party and may exist on premise or off premise.
  • Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g.  mission, security requirements, policy, and compliance considerations).  It may be managed by the organizations or a third party and may exist on premise or off premise.
  • Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
  • Hybrid cloud:  The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e g , cloud bursting for load-balancing between clouds).

Choosing the correct deployment can depend on who needs to access the service, budget and security concerns.

Private clouds are the most secure and most expensive. Private clouds allow companies to have isolated sections of a cloud where you can launch resources in a virtual network. You can have complete control over your virtual networking environment and place your backend systems, such as databases or application servers with no Internet access. You can limit access to these servers based on access control, physical hardware, and IP address. A Private Cloud is therefore mostly suited for sensitive data, where the customer is dependent on a certain degree of security. Private Clouds, to an extent, lose the economy of scale compared to a Public Cloud.

Community clouds spread costs over fewer users than a public cloud. This option is more expensive but may offer a higher level of privacy, security and/or policy compliance.

Public clouds are the least expensive deployment. When most people think about cloud computing, they think of a public cloud deployment. All resources are shared but can be secured. If you are comfortable with the level of security of your cloud provider or have budget constraints, public clouds are your best option.

Hybrid clouds are the typical deployment model for most enterprises. In this cloud deployment model, an organization provides and manages some resources in-house and has others provided externally. The main benefit of the hybrid cloud is that it provides the scalability and low costs of a public cloud without exposing mission-critical applications and data to third-parties.

Know your privacy, security and disaster recovery needs

When it comes to comes to privacy, security, and disaster recovery, you need to first determine your requirements and budget. The Cloud provider can provide you tools to help protect your data, but you need to implement those tools. For example, Cloud providers can allow you to limit access to your data based on their physical machine or location; but you need to remove those access rights when machine or location no longer needs access.

 

Your Cloud provider needs policies, processes, and control activities for the delivery of each of their services. The collective control environment encompasses the people, processes, and technology. Your Cloud provider needs well trained staff that has limited physical access to your data and processes that protect your data and technology by keeping prying eyes away from sensitive areas. Accordingly, you should choose a Cloud vendor that maintain proper certifications like SAS 70 (the Statement on Auditing Standards No. 70), ISO/IEC 27001, and FISMA.

You also need to ensure the Cloud provider stores your data in the proper region. The selection of a region within an acceptable geographic jurisdiction to the customer provides a solid foundation to meeting location-dependent privacy and compliance requirements, such as the EU Data Privacy Directive.

You need to have proper disaster recovery controls in place. A traditional approach to disaster recovery involves different levels of off-site duplication of data and infrastructure.  Critical business services are set up and maintained on this infrastructure and tested at regular intervals.  The disaster recovery environment’s location and the source infrastructure should be a significant physical distance apart to ensure that the disaster recovery environment is isolated from faults that could impact the source site. Accordingly, it is important that your Cloud provider has data centers located in different physical locations and are isolated from faults from the other data centers. When dealing with a disaster, it’s very likely that you will have to modify network settings as you are failing over to another site. For the most critical systems you want to choose a Cloud provider that will allow you to automate the changing of the network settings.

Although the Cloud provider is responsible to maintain the infrastructure, it is still your responsibility to test your disaster recovery plan.

Choose a Cloud Vendor who can support your FDA Quality Management System needs

Cloud vendors commonly implement quality measures ranging from verbally shared processes and practices to SOPs and trouble ticket software to highly structured Quality Systems.  However, advertising a level of quality management does not guarantee that the Cloud Vendor will meet your life science quality management expectations.  To meet your compliance obligations, your cloud provider may need to make existing processes and procedures more robust and in a way that is more collaborative than they originally intended. Be aware that many Cloud Vendors consider their services to be proprietary and comprised of trade secrets, which may make collaborating around quality more difficult.

Choose a Cloud Vendor who can support your FDA Vendor Management needs

When selecting your Cloud Vendor, be sure they support your vendor management obligations. Cloud vendors who rightly take pride in their SAS 70 Type II certification, for example, often mistakenly insist that the certification should satisfy all quality and auditing needs. These certifications frequently focus on security issues and may not sufficiently cover life science regulatory concerns. Life science companies face validation requirements and regulatory concerns that go above and beyond SAS 70 certification, such as installation qualifications, change control, audit trails, electronic signatures, and permissions configuration. These requirements should be defined for the cloud environment and services and then implemented in your Service Level Agreements.

Be prepared to massage and coax the understanding of the vendor for cooperation before and during this process. By educating the Cloud Vendor about your requirements, you’ll be much more likely to complete a successful migration to the cloud.

Conclusion: Your Cloud Vendor needs to be a partner who fits into your regulatory and quality framework.

Shifting your technology operation to the cloud can garner many significant benefits including:

  • Improved scalability and cost savings
  • Increased access to and utilization of key business assets
  • Improved controls on security and data access
  • Increased innovation due to collaboration and availability of resources

However, regulatory burdens are not abated by shifting to the cloud, and Cloud Vendors today are by and large unschooled on FDA regulations, which, if not addressed, can create risk.  Life science companies should select a Cloud Vendor with the expectation that many will depend on coaching and assistance in order to meet regulatory requirements.   The Cloud Vendor’s ability to accept and then in a timely fashion respond to your regulatory requirements should, therefore, become a highlighted vendor characteristic in your vendor selection criteria.

Read Part I of this series here.

About the authors:

Russ King is President of Methodsense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market.   He can be reached at (919) 313-3962 or rking@methodsense.com.

Jason Rock is Chief Technology Officer of GlobalSubmit, a products and services company that provides transparency in regulated healthcare products. He may be reached at  888-840-9580.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Former FDA Inspector Notes From the Field: It’s a Compliance Jungle Out There

Patrick Stone, President, TradeStone QA

Considering that clinical trial compliance responsibility is on the Principal Investigator, your contracted participation should add value. Contract Research Organizations (CROs) and independent Monitors must honor the contractual commitments by documenting site deviations and issuing data correction forms. For fiscal year 2010, Monitor inspections by FDA determined that fifty percent (50%) were not in compliance. Twelve percent were classified as official action indicated for warning letter or worse. I will provide analysis of the fiscal year 2011 numbers when they are released.

Meantime, I helped generate these numbers while at FDA in 2010. The most common compliance deficiencies listed were:

  • Inadequate monitoring
  • Failure to bring investigators into compliance
  • Inadequate accountability for the investigational product

(Bioresearch Monitoring (BIMO) Metrics – FY’10)

The rest of the pie chart in the compliance metrics are for IRB’s Principal Investigators, and Bioequivalence inspections by FDA Consumer Safety Officers/Investigators.

I have recently completed many Sponsor generated Quality Assurance audits. I have issued many notable observations of non-compliance. On my most recent audits I have observed serious adverse event reports (SAE’s) had not been reported over the span of years putting the sponsor out of compliance as well (protocol required SAE report within few days). Inclusion and exclusion violations, missing pages of the informed consent form, not following the protocol for three years for all Subjects, data integrity problems, 21 CFR Part 11 electronic records compliance, and failing to bring the site into compliance. Many simple mistakes when detected early and corrected will compound when left unchecked for years.

It may make sense to audit your trial halfway through, and then at the end, or risk throwing out your highest enrollment sight data for lack of protocol adherence. I have to say I recently observed liquid paper/White Out used on source documents for a clinical trial Subject. It has been many years since I have listed that as an observation. The focus must be risk based with primary efficacy end-points and serious adverse event review at the top of every monitor visit.

Then move through to protocol adherence and test article coverage. Training and hiring qualified monitors are key aspects to providing patient safety and regulatory compliant projects. We have our work cut out for us and FDA is not going to review every study or even more than 2% of them domestically. Fifty percent is not a passing number and you do not want to be listed with the rest of the 483 observation forms on the Internet for all to see.

Patrick Stone is the author of Bubble Gum Badge – An FDA His-Story. You can also follow him on Twitter.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

FDA Inspectors Crave a Good Hot Cup of CAPA

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

One of my favorite all-time bands, The Kinks, have a fantastic tongue-in-cheek song called “Have a Cuppa Tea” that satirizes the British belief that a good hot cup of tea will solve all of the world’s problems.

I think the FDA misread “Cuppa” and instead decided that if it focused on CAPA it, too, would solve all the of the [medical device] world’s problems.

An analysis of 2011 and 2010 FDA inspection observations in 483s shows clearly that CAPA remains at the top of the charts for the FDA (see charts below).  FDA’s own analysis of its 3,434 483 observations in 2010 found that CAPA was the number one, with a total of 1058 citations. Number for 2011 aren’t yet available, but there’s no indication they are going anywhere but up.

And that’s probably not going to change in 2012, either.

Why is CAPA so important? Melissa Torres, part of the Center for Devices and Radiological Health’s Quality System Team in the Office of Compliance, put it clearly. CAPA matters because it is “linked to so many other requirements.”

Consider this, CAPA touches on:
  • 820.198 Complaint files
  • 820.90 Nonconforming Product
  • 820.80 Acceptance Activities
  • 820.200 Servicing
  • 820.22 Audits
  • 803 Medical Device Reporting (MDR)
  • 806 Reports of Corrections and Recalls…
“…and many more,” Torres emphasizes. Plus, dealing with CAPA effectively helps FDA inspectors relax because they get the sense you have detected and resolved any significant problems.

On the flip side, if you don’t have CAPA in control, you’re going to need a lot stiffer drink than a cup of tea.

The top 10 observations for 2011 were:
  • 21 CFR 820.100(a) – Procedures for Corrective and Preventative Action (CAPA) have not been adequately established;
  • 21 CFR 803.17 – Written Medical Device Report (MDR) procedures have not been developed/maintained/implemented;
  • 21 CFR 820.198(a) – Complaint handling procedures for receiving/reviewing/evaluating  complaints have not been established/defined/documented/completed/implemented;
  • 21 CFR 820.100(b) – Corrective and Preventative Action activities and/or results have not been adequately documented;
  • 21 CFR 820.75(a) – A process whose results cannot be fully verified by subsequent inspection and test has not been adequately validated according to established procedures;
  • 21 CFR 820.22 – Quality audits/reaudits have not been performed;
  • 21 CFR 820.22 – Procedures for quality audits have not been adequately established;
  • 21 CFR 820.30(a) – Procedures for design control have not been established;
  • 21 CFR 820.30(i) – Procedures for design change have not been adequately established;
  • 21 CFR 820.20 – Management with executive responsibility has not ensured that an adequate and effective quality system has been fully implemented and maintained at all levels of the organization.

The top 10 observations for 2010 were:

  • 21 CFR 803.17 – Written Medical Device Report (MDR) procedures have not been developed/maintained/implemented;
  • 21 CFR 820.100(a) – Procedures for corrective and preventive action have not been adequately established;
  • 21 CFR 820.100(b) – Corrective and preventive action activities and/or results have not been adequately documented;
  • 21 CFR 820.75(a) – A process whose results cannot be fully verified by subsequent inspection and test has not been adequately validated according to established procedures;
  • 21 CFR 820.198(a) – Complaint handling procedures for receiving/reviewing/evaluating  complaints have not been established/defined/documented/completed/implemented;
  • 21 CFR 820.50 – Purchasing controls,. Lack of or inadequate procedures Procedures to ensure that all purchased or otherwise received product and services conform to specified requirements have not been adequately established;
  • 21 CFR 820.198(a) – Procedures for receiving, reviewing, and evaluating complaints by a formally designated unit have not been adequately established;
  • 21 CFR 820.198(c) – Complaints involving the possible failure of a device/labeling/packaging to meet any of its specifications were not reviewed/evaluated/investigated where necessary;
  • 21 CFR 820.22 – Procedures for quality audits have not been adequately established;
  • (tie) 21 CFR 820.22 – Conducted quality audits/reaudits have not been performed;
  • (tie) 21 CFR 820.30(i) – Design changes – lack of, or inadequate procedures.
TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Congressional Committee to Reduce Waste Eliminates Self

Kim Egan

Kim Egan, Partner, DLA Piper LLP

It turns out that I am not the only one who has noticed that food regulation is sometimes a little, well, silly.  The federal government recently “identified a mother lode of government waste and duplication” and decided that getting rid of it “could potentially save billions of tax dollars annually and help agencies provide more efficient and more effective service.”  This according to Sen. Tom Coburn, R-Okla. and the Government Accountability Office (GAO) in response to the GAO’s first ever audit of federal agency overlap.

One of the biggest culprits is food safety.  There are over 30 food-related laws administered by 15 different federal agencies and still the public lacks confidence in the safety of our food supply.  What to do?

GAO recommends that as “a next step, the Director of the Office of Management and Budget, in consultation with the federal agencies that have food safety responsibilities, should develop a government-wide performance plan for food safety that includes results-oriented goals and performance measures and a discussion of strategies and resources.”  What does that mean?  It sounds an awful lot like the “next-generation-platform-based-information-management-solutions” type stuff we heard about during the tech boom.

GAO insists that “[w]ithout a government-wide performance plan for food safety, decision makers do not have a comprehensive picture of the federal government’s performance on this crosscutting issue.”  In other words, if no-one tells the boss what’s going on, the boss won’t know what’s going on.  Let’s definitely fix that.

GAO also wants Congress to ask the National Academies of Science to ask a blue ribbon panel of experts to come up with some “alternative food safety organizational structures.”  The GAO proposes that Congress ask the NAS to ask the blue ribbon panel to consider the excellent example of Europe.   Somehow I don’t think our Tea Party Congress will cotton to that idea.  Europe has one food safety agency and one, transparent set of food safety rules.  That seems so sensible, no?

The GAO also appears to recommend Food Communism: “a coordination mechanism that provides centralized, executive leadership for the existing organizational structure, led by a central chair who would be appointed by the president and have control over resources.”  The Tea Party won’t like that either.

Because the solution to our food problems is to become more European, we can rest assured that nothing at all will change.  We will stick with our quaintly provincial and silly system of food regulation.  FDA will continue to make sure that shell eggs are properly labeled while the USDA’s Animal and Plant Health Inspection Service will continue to ensure the health of the chicks that hatch from them.  FDA will continue to regulate products made from the shell eggs (that one hopes were properly labeled) while USDA’s Agricultural Marketing Service will continue to grade eggs for beauty and purity.  And it will continue to be the case that nobody at all in the federal government will be making sure that the eggs sold in your local grocery store are free of Salmonella.

The good news is that it’s not just food that gets taken to task in this report.  The GAO says we could probably save some money “defending our northern border” from our staunch Canadian ally as well, ironically, as our efforts to identify government overlap.  No. 14 on GAO’s list of things to de-dupe is “Enterprise Architects,” which it says are “key mechanism for identifying overlap and duplication.”

What a waste.

Kim Egan is Partner in the firm DLA Piper LLP

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Former FDA inspector Miles on What FDA Looks for During Inspections & the Importance of Strong CAPA Systems

Ken Miles, Former FDA Inspector

Ken Miles, Former FDA Inspector

Ken Miles, a 28 year veteran of the FDA, is today a widely-respected industry consultant to the medical device industry. He draws on his extensive experience to help firms effectively and efficiently comply with FDA requirements. Ken’s expertise includes evaluating Good Manufacture Practice (GMP) and Good Laboratory Practice (GLP) compliance, Quality System Regulations, and QSIT certification inspections (Management, Design, Process Controls, and CAPA).

In this multi-part series, we talked with Ken about FDA inspections, CAPA, quality systems, audits, training and more.

Q: When you were with the FDA, what did you look for during onsite inspections at medical device facilities?

A: What I primarily looked for was a robust quality management system that covered all of the key areas: CAPA, internal quality audit findings, training, MDRs and complaints, supplier quality, etc.   Supplier audits are also very important, and they should always tie back into CAPA and management review findings.

Q: You mention training as part of the overall quality management system –  what kind of problems did you see in that area?

A: The most common problem with training is that programs are often inadequate. Oftentimes procedures are either nonexistent or very poorly written. You need to have stringent management commitment and oversight, while also removing irresponsible people who can seriously damage the business. Procedures, management review and training are the primary areas that should generally be addressed through a CAPA program to make it work.

Q: Digging deeper, what were the CAPA-related issues you saw most often during inspections?

A: The one thing I saw often was that companies did not prioritize their CAPA items. You need to prioritize them using a risk-based approach. The highest priority ones should be put at the top of the list. Sounds like an obvious thing, but a lot of companies just throw all CAPA related issues into one bucket with no priority or even closure dates. If you don’t have some sort of prioritization system, you might become weighed down with too many assignments with no end in sight. Prioritize by low, medium and high priority, as well as severity of consequences. That would also imply that you have a target date, or closure date once you implement that program. A lot of companies don’t do that.

Q: You stress the importance of prioritizing and setting due dates for CAPA. Can you give us some examples of what you looked for during your inspections?

A: Medium and serious CAPA issues should be closed out within 30 or 90 days at the most. I’ve seen situations where CAPAs are still hanging out there after two or three years! And I’ve even some that have never closed or resolved! In certain situations, I’ve also seen CAPAs that don’t even have a closure date. Unfortunately, that’s typical of spreadsheet based CAPA systems.

In the next part, we will delve deeper into actual situations, and discuss some of the more egregious things that Ken Miles experienced as an FDA inspector.

Click here for more detailed information about CAPA.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Keystone Dental Takes Fixing Smiles Very Seriously

keystonelogoMore than 30 million Americans are missing some of their teeth in one or both jaws, and with a growing aging population, that’s estimated to grow substantially. According to the American Academy of Implant Dentistry, an estimated two in three Americans have one or more missing teeth, due to the increase in periodontal disease as the population ages.

Three million people have dental implants and that number is growing by 500,000 per year with an estimated market for implants to reach $1.3 billion by 2010.  Dental implants are permanent fixtures of titanium posts anchored in the jawbone and topped with a replacement tooth. The technology was initially developed in Europe over 30 years ago and the success rate is remarkably high: 97 percent success rate in lower implants and 91% success rate in the upper implants.

Keystone Dental, based in Burlington, MA, was founded in March 2006, and aspires to build a market leading global brand recognized within the dental community for its integrity, trust and commitment to improving the standard of care for patients and their quality of life.

Since then, they have rapidly grown into a diversely skilled, fast-moving team of professionals committed to providing excellent customer service and producing high-quality products and services.

Keystone’s business plan called for an electronic quality management system to be implemented as soon as possible. Being an extraordinarily high volume medical device manufacturer, Keystone’s new system would have to handle an equally large volume of electronic records per year.

According to Richard Jancsy, Manager of Quality Systems, “A critical success factor for us is to effectively and efficiently manage a significant volume of regulatory documentation; in a rigorous and compliant manner…you need a reliable and highly configurable system to meet that challenge.  That’s why we selected CATSWeb.”

Instead of using a manual, paper-based system that tediously captures data, the new electronic system has streamlined the process; it’s focused on capturing the essential and actionable information quickly.  The implementation activity allowed Keystone to critically re-evaluate their current manual complaint handling system and design a robust solution by leveraging CATSWeb’s flexible capability.

“CATSWeb can mirror the process in a way that we get to choose, and not the other way around,” added Jancsy. Keystone will integrate the CATSWeb quality system with Salesforce.com and their IFS ERP.  The first process rolling out is complaint handling and then CAPA, audits, training and change control during 2009.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare