Patrick Stone, President, TradeStone QA

I have noticed some concern from many IRBs about the GAO & OHRP difference of opinion regarding some aspects of human subject testing. If accreditation is ever fully pulled from an IRB, the reasons will be stated by FDA or OHRP. Through my review of many types of IRBs large and small (central & institutional) I have noted a few trends.

Central IRBs have two fundamental issues to deal with: quality assurance (QA) at the study site, and having a local representative of the community where studies are being conducted present at IRB meetings.

FDA & OHRP are now expecting IRBs to conduct QA audits as is done with most institutional IRBs. If the central IRBs can do a bit more with the funds they receive for service, they will survive this transition. The IRB’s basic functions are to insure patient safety & rights and assure clinical trials are following the CFR (all applicable sections).

In the end, the most basic function of an IRB is patient advocacy & record retention of patient safety discussions (for verification of review). Institutional IRBs in some cases do not scrutinize the in-house clinical trials adequately. In-house clinical trials do not get monitored as frequently due to lack of funds.

The institutional IRB’s should insure the name of the parent company/institution is tied to CFR compliant clinical trials, or the brand may be effected.

But I have a question for IRBs using electronic records: are you ready for the FDA investigator to challenge your 21 CFR Part 11 electronic record compliance? I have observed many large IRB’s staying in the paper records format. Due to cost & physical space issues, electronic is now the obvious way to go.

IRBs are getting more ICH audits and vendor qualifications which help IRBs stay in compliance with ICH guidance and the FDA regulations. FDA needs IRBs in good standing to review the many studies FDA field Investigators will not be able to Inspect. IRB’s play a major part in regulating clinical trials.

When I was with the FDA I always tried to encourage the IRB’s after a 483 was issued to do more for the patients and to effect real change in the amount of studies audited for QA. The FDA cannot get to every study or even thirty percent of the on-going clinical trials combined (biologics, drugs, & devices).

You, IRBs, do the heavy lifting for domestic clinical trial regulatory compliance. Thanks for the hard work.

You can follow Patrick on Twitter here.

Patrick Stone, President, TradeStone QA

In 1999 the FDA released guidance for industry on the electronic records requirements for human clinical trials involving drugs, devices & biological entities (including the manufacturing of the approved products previously listed). In 2002 the FDA started training the field investigators how to review electronic records during routine inspections of human bioresearch and manufacturing for drugs, devices & biological entities. The catch was FDA investigators were not able to actually cite violations for 21 CFR Part 11 (code of Federal regulations) until approximately 2006.

The FDA instructed field investigators to only write up 21 CFR Part 11 violations if there were other non-Part 11 violations as well. One of the reasons it took so long to enforce the 21 CFR Part 11 violations was that fact that TurboEIR (FDAs report writing template system) did not have 21 CFR Part 11 483 cites. TurboEIR 483 citations became standardized because of the inconsistencies of 483s issued throughout the nation.

Fast forward to 2009 and the FDA starts to ramp up electronic record review for every firm that uses electronic records.

As an FDA investigator I have conducted many electronic record reviews and discussed many 483 cited observations with the Center for Drug Evaluation & Research and the Center for Devices and Radiological Health.

The most recent inspection I conducted for electronic records was a molecular diagnostic laboratory conducting testing for human clinical trials. This was a very special case in which I observed the clinical trial data did not match the data-listing provided by the sponsor. Long story short, the firm was using a data-stick to transfer original data-output and transferring it to an Excel data-set. Microsoft Excel® is not 21 CFR Part 11 compliant and the Excel® program cut off too many digits after the decimal place. The solution was an easy fix in that I suggested the molecular lab simply print out the original data and use that instead of the data-stick transferred data.

The Center put a short hold on the project until the reems of paper could be submitted in proper fashion.

The moral of the story is that as a sponsor or health care manufacturer you have to ensure that any projects slated for all electronic record submissions must be qualified and verified to comply with the electronic record regulation.

I will also give you one more example of a scenario where a project was held up by the agency for electronic record issues. I was inspecting a human clinical drug trial and I observed that source data did not match the sponsor provided data-listing because when the study was closed out and the data-lock was put in place it changed the audit trials and greyed out many data-points.

When choosing an electronic records vendor make sure that the data is never obscured or unreadable when the clinical trial is completed and data-lock is in place. You have to go from cradle to grave with your data and validate every step.

The FDA has made numerous electronic records exemptions for the Department of Defense and other U.S. Government agencies under the following exemption law (device products). A Compilation of Exemptions for Electronic Products Found in 21 CFR Chapter I, Sub-Chapter J — Radiological Health Parts 1000 – 1050.

However, the FDA does not currently abide by the electronic records regulation it enforces, for another case of do what I say, not what I do.

You can follow Patrick on Twitter: http://twitter.com/BIMOQA

Mark Mansour, Partner, Bryan Cave, LLP

Amid continuing debate about the timing and shape of the Senate’s food safety bill (the House passed a version in July 2009), comes a new issue that affects companies in the food, drug, device and cosmetic industries.

Several months ago, FDA Deputy Chief Counsel for Litigation Eric Blumberg told industry representatives at the FDLI Annual Conference that the agency is prepared to dust off the three-decade-old “Park Doctrine” to augment FDA’s continuing efforts to ratchet up its enforcement profile. The doctrine stems from the United States Supreme Court’s decision in United States v. Park, 421 U.S. 658 (1975). In principle, it allows the government to pursue misdemeanor charges against a corporate officer for alleged violations of the Federal Food, Drug, and Cosmetic Act, regardless of whether the officer is aware of the existence of a violation, as long as the officer holds a position of responsibility so that that individual could have initiated preventive or corrective action and, for whatever reason, failed to do so.

Park represents a strict liability standard, so no warning letter is required. FDA need only request that the Department of Justice file charges based on FDA’s conclusion that an officer is guilty of misconduct, which is effectively defined as failing to know what FDA believes one should have known. In sum, what an executive does not know can be more than harmful.

The scale of punishment for misdemeanors ranges from one year in prison and/or a maximum fine of $100,000 for each count, ranging to much higher where injury or death are involved. Courts can impose mandatory prison sentences, and if FDA believes a substantial risk of injury or death is involved, judges can increase the length of prison sentences.

At a time when corporate resources are stretched, the entire spectrum of regulatory compliance issues has become every bit as critical for senior management and counsel as the other bet-the-company issues that confront each company on a day-to-day basis.

Mark Mansour is a partner in the firm, Bryan Cave, LLP

Mark Mansour, Partner, Bryan Cave, LLP

FDA: Genetic Testing Kits are Medical Devices

The FDA has sent letters to five manufacturers of genetic testing kits stating that the agency is considering the kits to be medical devices. As such, the agency has said that they need to receive approval from the agency before they can be marketed. The House Energy and Commerce Committee has announced that it too is looking into the tests.

FDA Requests Notifications of Intention to Participate in Meetings on PDUFA Reauthorization

The FDA has issued a notice requesting that public stakeholders notify the agency of their intent to participate in periodic consultation meetings on reauthorization of the Prescription Drug User Fee Act (PDUFA). After the statutory authority for PDUFA expires in September 2012, the FDA will consult stakeholders to develop recommendations for the next PDUFA program. Notifications of intention to participate must be submitted by June 25, 2010. The first stakeholder meeting will be held on July 1, 2010, from 9 a.m. to 11 a.m. More information is available here.

FDA Corrects Dental Device Final Rule

The FDA has issued a notice that it is correcting an error in its Final Rule on dental devices, published on August 4, 2009. More information is available here.

FDA Seeks Comments on Labeling Requirements, Premarket Approval, Drug Co-Development

The FDA is seeking comments on the standardized format and content requirements for the labeling of over-the-counter (OTC) drug products. Comments are due by August 2, 2010. More information is available here.  The FDA is seeking comments on requirements for premarket approval of medical devices. Comments are due by August 9, 2010. More information is available here. The FDA also seeks comments on methods to co-develop two or more distinct investigational drugs intended to be used in combination to treat a disease or condition. FDA is planning to develop guidance for industry and other affected parties on the co-development of two or more novel drugs intended to be used in combination (but not as not fixed-dose combinations) and is seeking public input to identify the affected parties’ information needs concerning such co-development. Comments are due by September 7, 2010. More information is available here.

Mark Mansour is a partner in the firm, Bryan Cave, LLP

With the advent of SaaS (Software as a Service), security becomes all the more critical in terms of both the user of the service and the administrator of the environment providing that service.  The beautiful thing about SaaS offerings like CATSWeb is that they are completely web based through HTML.  This makes life much easier for all parties.  From the user side, CATSWeb requires no special VPN software, nothing downloaded to the client computer and no local certificate store to verify a user’s identity  only  a web address and a password.  From the IT standpoint, all machines involved in providing CATSWeb SaaS are completely locked down to two ports of traffic; an IT dream come true.  Users will either be coming into a hosted CATSWeb environment via HTTP (port 80) or HTTPS (port 443). For securing a server to the world, only having to deal with two ports is about as simple a scenario as exists in the IT industry.

Because CATSWeb traffic is only on two ports, our servers are locked down completely, with those two ports being monitored constantly through the firewall, protected by live scanning anti-virus solutions and safeguarded by managed IDS (Intrusion Detection) systems.  Add to that all web traffic is logged from start to finish and you’ve got as bulletproof a server system as can be found.  And then we get to CATSWeb itself.

Within CATSWeb, AssurX has included additional security tools to ensure that your data is safe.  First, each customer company has their own unique, individual database not shared by anyone else. If a customer chooses to require SSL for accessing their CATSWeb database, this ensures that all traffic to and from that database is encrypted.  System access is automatically logged for easy review, including the IP address from where the traffic originated.

The rest we leave up to users.   I guess that’s where CATSWeb SaaS becomes a two-pendulum system. The “server security pendulum” we’ve chosen to swing as far toward restrictive control as possible.  The “user access pendulum” we leave to the users of CATSWeb.  An administrator in a CATSWeb system can set their own requirements for passwords for their users, establish their own session parameters such as session length and inactivity timeouts and much, much more.  This will allow any given SaaS CATSWeb system to have security anywhere along the user access pendulum, from easy to restrictive, based on what your requirements are.