George Santayana said: “Those who cannot remember the past are condemned to repeat it.”
Small and mid-size pharmaceutical companies may ask why they should spend limited resources on a GMP Intelligence program. The answer is simple, it saves money. The return for a comprehensive GMP Regulatory Intelligence program can far outweigh the cost. Let’s look at this from two different perspectives: regulator expectations and an example of the financial value it can provide using enforcement actions for lack of data integrity as an example.
REGULATORY EXPECTATIONS: ICHQ10, Pharmaceutical Quality Systems, requires the “Monitoring of Internal and External Factors Impacting the Pharmaceutical Quality System” including “emerging regulations, guidance and quality issues…” This type of program is no longer a nice-to-have, but is now expected by regulators. During recent GMP inspections, both FDA investigators and EU inspectors have asked companies how they manage this function.
Further, ICHQ10, Pharmaceutical Quality System, identifies Knowledge Management as an “enabler” of an effective Quality System. A comprehensive GMP Regulatory Intelligence program should be a component of this effort. GMP Regulatory Intelligence functions as an early warning system allowing a company to make changes in practices and procedures, if necessary, before a regulatory authority imposes a costly enforcement action. Even when changes are not necessary, this informs staff about the areas of focus they might expect during inspections. Key to a successful program is active surveillance of publicly available information, supplemented by subscription based data. This should be followed by analysis and communication to a wide group of Operations, Regulatory and Quality staff to ensure the knowledge is not limited to functional silos.
FINANCIAL VALUE: This article uses the example of data integrity enforcement actions over the past ten-plus years and identifies the missed opportunities where firms failed to learn from publicly available information. Many have suffered expensive consequences, both financial, and in reputation within the industry. Table 1 provides a selected list of enforcement actions based on shortcomings in the broad category of data integrity.
As early as 2000, a warning letter issued to Schein Pharmaceuticals cited lack of control over computerized laboratory systems1 including lack of password control and broad ranging staff authority to change data. Another event was a 15-page form FDA-483 issued to Able Laboratories in New Jersey in 2005. Warning letters citing deficiencies in the broad area of data integrity were issued to Actavis Totowa LLC and Sandoz sites, both in the US followed in 2007 and 2008 respectively. Three warning letters were issued to two Ranbaxy sites in 2006 and 2008. The Ranbaxy inspections and warning letters were eventually followed by import alerts, a consent decree agreement, fines and loss of generic product exclusivity. In addition, Wockhardt Ltd. and Changzhou SPL Company received warning letters in 2006 and 2008 respectively, citing concerns about the authenticity and integrity of data. Even discounting the warning letter to Schein Pharmaceuticals in 2000, these early signals, from 2005-2009, were publicly available from regulators as well as being covered in the popular press and trade publications. Firms missed multiple opportunities to learn from the mistakes of others and immediately evaluate and initiate remediation if necessary. Table 1 shows that enforcement actions based on data integrity have continued into 2015 with similar inspection observations and warning letter deficiencies.
Finally, FDASIA became law in July 2012 and introduced a revised definition of adulteration to include products manufactured by firms that “…delays, denies, or limits an inspection…” FDA used this justification several times in issuance of warning letters, the first two of which are identified in Table 1. If firms tracked new legislation, particularly in the draft versions, they would have been informed about the expanded definition of “adulteration”. Publication of a draft and then final guidance clarified and expanded on the revised definition of adulteration.
Table 1. Selected Enforcement Actions for Data Integrity Problems
|FY||Company||Additional Enforcement Actions or Comment|
|2000||Schein Pharmaceuticals 1||Warning letter to Schein Pharmaceuticals cites inadequate control over laboratory computer systems including password control and authority to change data.|
|2005||Able Laboratories, Cranbury NJ||The 15 page form 483 was among the early forms 483 addressing the broad category of data integrity. Resulted in withdrawal of ~ 50 ANDAs and the firm is no longer in business.|
|2007||Actavis Totowa LLC, NJ||Electronic data files not checked for accuracy; data discrepancies between electronic data and data documented in laboratory notebooks.|
|2008||Sandoz, site in NC||Analysts may modify, overwrite or delete data; no audit trails or history of revisions in analytical data|
|2006||Ranbaxy, Paonta Sahib||Import alerts were issued for four Ranbaxy sites, two dated 9/10/2009 and two dated 9/13/2009
Ranbaxy entered into a consent decree agreement with the courts in January 2012
Ranbaxy agreed to pay a $500,000 fine in May 2013
Additional Ranbaxy site at Toansa, India was added to the consent decree agreement in January 2014
See the FDA timetable of enforcement actions and associated documentation including some forms 483.
|2008||Ranbaxy, Paonta Sahib|
|2009||Ranbaxy Ohm Laboratories in Gloversville NY|
|2008||Changzhou SPL Company||Import alert dated September 10, 2009|
|This firm, located in the US conducted BA/BE studies in support of NDAs and ANDAs. It is no longer in business
Forms 483 here
FDA sent a letter to the firms that contracted with Cetero Research for BA/BE studies requesting specific information to establish validity of the BA/BE information in the drug applications.
|2006||Wockhardt Ltd||Another warning letter form 2006 that mentions issues in the data integrity area
The 2013 warning letter was the second warning letter that cited the new FDASIA power to determine products adulterated if they are manufactured at a site that “delays, denies or limits” an inspection.
The FY 2014 letter addresses two sites owned by the company
Import alerts issued for two sites in India on May 22, 2013 and November 26, 2013
The 6-page form 483 to Morton Grove Pharmaceuticals identifies similar practices to those found to be objectionable at the sites in India
|2014||Morton Grove Pharmaceuticals (US site owned by Wockhardt)|
|2012||Fercy Personal Care Products Ltd||Import alert issued May 10, 2012|
|2013||Fresenius Kabi Oncology Ltd||This represents the first warning letter to cite the FDASIA definition of adulteration to include products made in a facility that “delays, denies or limits” an inspection.|
|2014||Apotex Pharmachem India Pvt Ltd.||Import alerts issued April 1, 2014 and April 22, 2014|
|2015||Apotex Research Private Ltd.|
|2014||Tripfarma S.p.A||This site in Italy has data integrity type of issues identified in this recent warning letter.|
The collection of enforcement actions in Table 1 and agency documents span more than ten years and covers both GMP and GCP. Firms located in the US, EU, India and China have been cited for data integrity problems. If firms read and internalized the actions at Schein Pharmaceuticals, Able Laboratories in Cranbury NJ, Actavis Totowa LLC in NJ and Sandoz in NC, followed the Ranbaxy series of actions, there is no reason to claim surprise in this enforcement area in 2015. Note that the earliest publicly available signals of the problem occurred during inspections of sites in the US. Enforcement for lack of data integrity is not limited to actions taken by FDA. The public section of the Eudra GMDP database was expanded in 2014 to include reports of non-compliance, many of which address the area of data integrity identified during inspections conducted by the European authorities. Also, MHRA first published a series of Q&A on this topic in January 2015 that was revised in March 2015. Anyone interested in data integrity should read, and re-read this.
It does not take a complicated financial formula to see that there are financial consequences for these compliance actions. For example, Able Laboratories ceased doing business, Cetero Research is no longer a business entity, Ranbaxy is in the process of being acquired by another pharmaceutical company in India, and Wockhardt Ltd’s sales are severely diminished in the US2
CONCLUSION: In conclusion, data are publicly available to inform companies about changes in GMP laws, regulations, guidance, and inspection focus and enforcement trends. The example of data integrity is not meant to be the only topic for which this is true, but it is one where firms have suffered financial consequences resulting from enforcement actions. A GMP Regulatory Intelligence program should provide analysis and connect the dots among different types of information and multiple enforcement actions over time. New and important boilerplate language in a warning letter should be identified and communicated. Warning letters that identify new types of deficiencies, for example the absence of audit trails, are important to evaluate. Likewise, warning letters that identify seemingly stringent requirements that can be linked to similar requirements in consent decree agreements should be highlighted. An effective comprehensive GMP Regulatory Intelligence program meets the requirements in ICHQ10 and serves as a component of a corporate knowledge management system. Finally, the financial return is substantial if the program if the program provides actionable knowledge to prevent a warning letter, import alert, seizure or the more serious consent decree agreement. Companies should consider that this applies across the GXP continuum, and is not limited to GMP activities alone.
1 The warning letter is not available on the current FDA web site and must be requested under FOI. Following is the specific deficiency.
6. Failure to maintain the integrity and adequacy of the laboratory’s computer systems used by the Quality Control Unit in the analysis and processing of test data. For example:
a) There was a lack of a secure system to prevent unauthorized entry in restricted data systems. Data edit authorization rights were available to all unauthorized users, not only the system administrator.
b) The microbiology departments original reports on sterility test failures of Penicillin G Potassium for injection, lots 9804024 and 9811016 due to environmental mold, which were sent via electronic mail to the Quality Assurance Management, differed significantly from the versions included in the Quality Assurance Management’s official reports.
c) The network (b) (4) module design limitations, which can only support up to four chromatographic data acquisition systems, had up to five chromatographic systems connected. There was no validation showing this configuration to be acceptable.
d) System testing was not conducted to insure that each system as configured could handle high sampling rates. Validation of the systems did not include critical system tests such as volume, stress, performance, boundary and compatibility.
2 See article in FiercePharma from 11/3/2014