Compliance?

Written By Peter Baker

As I was reading a recently published FDA Warning Letter dated 21NOV23 (for what must have been the tenth time – this one is full of insight…), specifically section 2B, outlining the firm’s failure to investigate NVP excursions, I was immediately consumed with concept of “compliance”.  This particular Warning Letter is an extensive insight into the rationale behind the C in GMP – what it means and where it is going, specifically on the topic of data governance and the rationale behind this expectation. 

According to the letter, the firm had established a permitted NVP excursion buffer, meaning that an investigation would only be performed if the alarm persisted for some defined timeframe.  I am sure they had established procedures to ensure DI and ALCOA+ were evaluated, and had a signed and archived “DI risk assessment” somewhere in the quality system.  Most if not all sites already have this program and (unfortunate) checklist in place.  I imagine internal audits and inspection readiness checklists were completed with 5 stars, but no one bothered to evaluate governance of the process and ultimate decision-making (in this case to release a DP).  An ALCOA+ evaluation will pass this scenario every time, but a governance approach would have failed.  This gives the site a false sense of inspection readiness.  Governance is ALCOA+, plus an evaluation of good decision-making.  Regulators are now expecting both – which we could define as CGMP. 

Let me expand on this: 

Governance would have required applying the ICH Q9 vertical flowchart to each step/interface in the NVP process.  One of the hazards (HI) identified would have been potential product contamination in the case of an NVP alarm.  No way the firm could have actively accepted that risk, as the severity would be “H” and the probability would be unknown, defaulting to either “H” or “M” (depends on many factors).  Either way, using the “nine-box”, we would have a high risk hazard, triggering a procedure that requires an investigation (especially as we are in the final step of DP manufacturing…).  However, and unfortunately, it is unlikely the governance approach was applied, allowing the firm to settle on an ALCOA+ compliance checklist – with a 50% inspection score (fail).  This was passive acceptance of risk – which was deleted (rightfully so) from Q9 and is no longer an option in R1.  This is worrying: that basic risk management (2005) and governance principles (2021) are still gathering dust on the internet, despite being around for almost (at least in the case of Q9) a generation! 

The reason for issuing QRM, data integrity and data governance guidance provided by the regulators over the past 19 years is not simply some random compliance expectation.  If a firm does not understand the rationale behind compliance, they are unlikely to survive much longer, especially as QMM comes into force.  Compliance is not the ultimate goal of CGMP: never has been and never will be: it is a way of doing things, thought processes, critical thinking tools, and culture.  The ultimate goal is good scientific decision making, and decisions are made by humans evaluating data via some process that has inherent risks…  compliance is simply a prerequisite.  Compliance is (perhaps?) GMP, but compliance is not CGMP. 

Always remember – quality always ensures compliance, but the reverse is almost never the case. 

Let’s go!

Peter Baker https://www.liveoakqa.com
Previous

“One Wing and a Prayer”
Next

A Quality Framework: AI/ML