What's New in the Regulatory World?

Regulations typically move at a snail's pace as we're dealing with governments: slow to be generated, slow to be enacted and slow to be changed. But just like waiting for a bus, you wait for ages and then several come along at once! I want to summarize what is happening in the regulated world for the pharmaceutical industry with regard to regulations and associated guidance documents that have been issued since around the start of the year:

• ICH Q10: Pharmaceutical Quality Systems: final version issued June 2008.

• FDA Direct Final Rule for some Good Manufacturing Practice (GMP) regulations: will we or will we not publish — withdrawn in April 2008.

• European Union GMP proposed changes to Annex 11 for computerized systems and associated changes to chapter 4 (documentation) issued for comment in April 2008.

• Version 5 of the Good Automated Manufacturing Practice (GAMP) guidance published in March 2008.

• An update of the Red Apple 2 guidance for Computerized Systems in Non-Clinical Safety Assessment published in May 2008.

So not bad for half-a-year's activity. Let's start at the top of the pile and work our way down.

Quality Management Systems for the Pharmaceutical Industry

It may come as a surprise to many of you working outside the pharmaceutical industry that there is no formal quality system. If you work in a laboratory accredited to ISO 17025 (for testing and calibration laboratories) or an organization that works to ISO 9000 (or a variant of this) you will know that the heart of the quality approach is a quality management system (QMS). The essential elements are that quality is driven from the top by senior management — if they are not involved then everybody is wasting their time. There is a quality policy and underneath that the procedures and instructions to enable people to do their jobs and work together.

The medical device industry has worked either to the US regulations or in Europe to ISO 13489 and these both have a QMS based on ISO 9000. The pharmaceutical industry did not have a similar approach to this just the GMP or Good Laboratory Practice (GLP) regulations, which were written in the 1970's. So the regulatory authorities have attempted to do something about it over the past four years:

1. The US FDA published a Guidance for Industry entitled Pharmaceutical Quality Systems that attempted to interpret the existing regulations under a QMS banner.¹ This is the regulatory equivalent of fitting a square peg into a round hole, the problem was constraint by the existing regulations being too vague and were stretched to make the interpretation fit a QMS.

2. The International Conference on Harmonisation (ICH) has written a document in the quality stream called Q10: Pharmaceutical Quality Systems that was published in June 2008.²

ICH is a collaboration between the European, US and Japanese regulatory agencies and their regional counterparts in industry and the aim of the output is to have consistent regulatory approaches on a global basis. This approach has produced a far more rounded attempt at implementing a QMS and the advantage is that it does not attempt to interpret existing regulations but places the QMS over the organization like an umbrella. This means that as the QMS is implemented from the top down, and as it impacts existing working practices and interpretation of the regulations it will start to change the way people work and think. Therefore, this will be a structured and gradual rather than big bang approach to quality.

The contents of Q10 cover the following topics:

• Management responsibility including management commitment (this is critical to the establishment and maintenance of any QMS).

• Quality policy, quality planning and management review.

• Management of outsourced activities and purchased materials. This last subject is very important since the heparin scandal in the US at the end of 2007 and early 2008, which resulted in over 200 deaths from outsourcing production to a Chinese factory.

• Continual improvement of product quality and process performance covering process performance and product quality monitoring system; corrective action and preventive action (CAPA) system; change management system; management review of process performance and product quality; continual improvement of the quality system; management review of the pharmaceutical quality system; monitoring of internal and external factors impacting the pharmaceutical quality system; outcomes of management review and monitoring.

These are all essential elements of a QMS that have been interpreted for a pharmaceutical company. What it means in practice is that quality will be driving a focus on measuring, analysing, understanding and improving the working practices throughout an organization. Typically, this is where little existed in the past. So metrics of how many, how often, how quick tasks take will need to be set up and generated, however, most of these metrics may be based on paper processes and will be generated manually. To be really effective, automated quality systems will need to be introduced.

The next steps in the process for implementing Q10 will be for it to be incorporated into the local regulatory scheme. My understanding is that the FDA will replace their current guidance on pharmaceutical quality systems with Q10 to ensure global harmonization, while in Europe, ICH Q10 will probably be incorporated as an Annex into GMP the regulations. However, there is no published timescale for these activities.

Out through the In Door: FDA GMP Update

Some of you may remember my discussion in Questions of Quality at the start of this year where I discussed the proposed changes to the FDA's GMP regulations that had been unchanged for three decades.³ My discussion focused on the changes proposed for computerized systems where a validated computerized system used in manufacturing did not need a second person to verify an action. There were some other changes involving water purity and aseptic processing that I did not discuss as they were not of interest to the readers of LCGC Europe.

The mechanism for implementing the changes was through a direct final rule that would be effective on 18 April 2008 unless there were any objections. Guess what? There were. Therefore, all the amendments to the GMP regulations were revoked by the Agency on 4 April.⁴ All the responses to the direct final rule are posted on a website and it is interesting to read some of these.

Many pharmaceutical companies were quite happy with the proposed changes and offered no adverse comment, however, some industry bodies and consultants were very against the changes and the way they were introduced.⁵ As a result of the latter, the FDA withdrew the changes — back to square one.

Version 5 of Good Automated Manufacturing Practice (GAMP)

On the global stage, GAMP version 5 was released to the general public in March.⁶ The GAMP guide has been published since 1995 and was originally a means of advising suppliers of pharmaceutical manufacturing equipment what was needed in terms of compliance from them, over time it has expanded from this role to become a major guidance for computerized system validation.

At first sight the new version appears to contain a far more flexible approach to computerized system validation than in earlier versions of the guide. For example, each of the software category three, four and five systems now have their own life cycle models and anticipated documentation — a triumph for reason versus the traditional GAMP V model.

This latter model, which has been used from the start of GAMP for production and process systems, was typically used as THE life cycle model for any system validation. In many organizations, all systems were always shoehorned into it regardless of logic or reason that said otherwise.

I was always a critic of this model for computer applications where a vendor was responsible for the majority of the life cycle and the company responsible for configuration and implementation. However, reading GAMP 5 the traditional V model appears to have gone missing in action which is a shame as it is very pertinent for production equipment and systems as I have previously said.

Perhaps it is too early to suggest to the GAMP Forum that they could get it right in GAMP 6: a general introduction on the principles of CSV for all systems. Then there would be one volume for computerized application and another one for process systems just to demonstrate that one size does not fit all.

In the laboratory there is one change that does impact us with the new GAMP guide, this is Appendix M4 covering classification of software. In the old version of the guide there were five categories of software, which has reduced to four in the latest version. Software category two is now missing from the guide and this covered systems with firmware or the program stored in read only memory chips. Examples of systems containing firmware are balances, pH meters and dispenser dilutors. Under the old guide these could be classified as equipment and qualified to demonstrate their intended purpose, which was a simpler process that implicitly tested the software elements rather than validated. The argument was that firmware can vary from simple to complex and, therefore, it can be dealt with under the other software categories. Perhaps you want to ignore GAMP 5 and retain this category of software for laboratory equipment.

Draft Proposals for EU GMP Annex 11 Published for Comment

In Europe, the EMEA issued proposed changes to EU GMP Annex 11 (computerized systems) and also chapter 4 (documentation) on 8 April.⁷ Note that these are not simply updates but major changes (the proposed Annex 11 is four times the size of the current version) and are out for public comment until the end of October.

I will only focus on some of the proposed changes to Annex 11. The format of the current Annex 11 has been maintained: a principle and 19 clauses (although the new draft references section 20, which is not in the issued draft! you would think the regulators could at least count). Some of the changes are good and reflect current CSV practices while others are, in my view, asking too much especially of smaller organizations. For example:

• Information security management system (ISMS) is mentioned and cross referenced to ISO 17799. Does this mean we have to implement this information security standard? Not even the FDA goes that far.

• Section 3.7 on databases is far more detailed than any other comparable computer regulation as to be proscriptive with little room for manoeuvre, rather than interpretative. Risk assessment — don't bother — just do this and the regulators are happy. Similarly the requirement for "immutable" audit trails (see section 6.1) for applications compares with the FDA's requirement for protection of electronic records by "normal" means.

The requirement for the activities of a system administrator to be monitored does not understand the majority of commercial database products.

There is typically a disappointing response to requests for comment in Europe, but these draft regulations need YOUR comment and input before the end of October to ensure that the EU is aware of some of the issues and modifies the regulations accordingly. If you thought that CSV was harmonizing globally — think again. The FDA appears to be going risk-based and in contrast the EU who are being proscriptive. It's a good time to be a consultant!

GLP Guidance for Computer Validation Updated

Finally, one of the oldest guidance documents that has been available for computerized system validation is titled Computerized Systems Used in Non-Clinical Safety Assessment,⁸ otherwise known as the Red Apple Document. This was originally published in 1988 so it's a bit long in the tooth and outdated, following a new conference two years ago a new version was published in May.⁹ As with the original publication it is for the GLP fraternity and is published by the Drug Information Association (DIA).

The book is divided into eight chapters: (1) system life cycle; (2) validation plan; (3) quality in a regulated environment; (4) security; (5) long term retention of electronic records; (6) business continuity and disaster recovery; (7) infrastructure; (8) instruments and computerized equipment.

The first three chapters discuss aspects of computer validation, the next three chapters the protection of the records generated by a system and the last two chapters discuss important concepts for the application of IT and instruments in a GLP environment. To my mind, the chapter titles and their arrangement look as if they have been pulled at random from a lucky dip and dropped on the page. The life cycle is covered in outline but a validation plan is discussed in great detail.

One item caught my eye in chapter 2 on validation plans: the table titled matrix 4 shows the tasks and responsibilities for the installation and qualification of a firewall in the IT infrastructure. There are up to 24 separate qualification tasks including writing SOPs, but this is for a firewall. If everyone did this companies would be out of business. Risk management? Don't worry, just feel the thickness of the qualification documentation!! Is it any wonder that in some instances computerized system validation has a bad name for being slow and not adding value to an organization?

Summary

In this column I have looked at the changes in regulations and guidance documents impacting the pharmaceutical industry: one is the withdrawal of modifications to regulations, one is a proposed change to an existing regulation, one defined quality systems and two are guidance documents for computer validation.

Bob McDowall, PhD, is principal at McDowall Consulting, Bromley, Kent, UK. He is also a member of the Editorial Advisory Board for LCGC Europe.

References

1. FDA Guidance for Industry, Pharmaceutical Quality Systems, 2005.

2. International Conference on Harmonisation, Q10: Pharmaceutical Quality Systems, Step 4 document, June 2008 (www.ich.org).

3. R.D. McDowall, LCGC Eur., 21(3), 142–145 (2008)

4. FDA Federal Register, 73, (66) 18440 4 April 2008.

5. http://www.regulations.gov/search/index.jsp, search under 2007N-0280" to find the docket content for the various comments and objections.

6. GAMP 5, International Society for Pharmaceutical Engineering, Tampa, Florida, USA, 2008

7. Proposed changes to EU GMP Annex 11 and Chapter 4 issued 8 April 2008.

8. Computerised Systems used in Non-Clinical Safety Assessment, Drug Information Association, Maple Glen, Pennsylvania, USA,1988.

9. Computerised Systems used in Non-Clinical Safety Assessment — Current Concepts in Validation and Compliance, Drug Information Association, Horsham, Pennsylvania, USA, 2008.