Coming to Terms with Compliance

Drug manufacturers are under increasing pressure to bring products to the market faster and more cost-effectively while simultaneously meeting stringent quality requirements. Changing regulatory environments make the task of monitoring and adhering to quality standards challenging -- but the costs of non-compliance are high. Failing to comply with and satisfy the demands of regulations can result in heavy fines, product recall and in some cases, plant closure.

Before a drug can be marketed, it must gain approval from regulatory authorities such as the US Food and Drug Administration (FDA) and/or the European Agency for the Evaluation of Medicinal Products (EMEA). A company applying for marketing approval must demonstrate that the drug has been produced according to strictly controlled and validated procedures, so ensuring the safety and consistent quality of the product. According to FDA, process validation is defined as: "Establishing documented evidence, which provides a high degree of assurance that a specific process will consistently produce a product meeting the predetermined specifications and quality attributes."

VMP programme checklist

Regulatory compliance is necessary at all levels of the drug discovery and development chain, encompassing areas such as good laboratory practice (GLP), good manufacturing practice (GMP), and good clinical practice (GCP). GLP focusses on the in vitro and in vivo evaluation of toxicological safety, with an emphasis on anticipating safety issues for clinical evaluations. GCP requires the evaluation of both product efficacy and safety in a clinical context, whereas GMP focusses on the quality evaluation of the manufactured product.

The areas requiring regulatory compliance cover an extremely broad spectrum. Existing regulations are periodically updated and revised, and are stringently enforced. Drug manufacturers, therefore, must keep abreast of regulatory developments - even unintentional non-compliance can potentially cost millions in fines and disruption to operations.

The costs of non-compliance

A regulatory authority can impose routine inspections, mandatory alterations in procedures, forced closure and even criminal prosecution on companies failing to comply with regulations. During the past 5 years, there has been an increase in the number of consent decrees (legal agreements to settle disputes with FDA) in the US, which can incur costs of tens of millions of dollars.

A dispute in 1999 involving a high profile company resulted in a $100 million fine for failing to correct defects in its manufacturing processes despite 6 years of warnings (Washington Post 03/11/99).

Warning letters from FDA to companies violating regulations, which are publicly displayed on FDA's website, are another cost that severely damages a company's reputation.The language is unequivocal and plainly states how a company has failed to meet regulatory requirements (www.fda.gov/foi/warning.htm).

Vendor qualification checklist

The ultimate cost, however, to those that fail to meet regulatory requirements is that potential revenue from a product will be lost, jeopardizing returns on investment.

Maintaining compliance

Regulatory compliance is not a one-off procedure and should be an integral part of an organization; companies must take into account compliance. This may involve devising an ongoing management process that includes:

• company-specific interpretation of current regulations

• creation of a systems inventory

• identification of systems that do/do not comply

• a detailed assessment of any gaps in compliance

• development of an active implementation plan, describing the necessary corrective actions required to bring systems into compliance

• prioritization of systems that need to be upgraded

• ensuring compliance of systems according to a prioritized list

• ensuring documentation is in place, archived and properly maintained.

Validation master plan. To avoid unnecessary work and obtain a good overview of the entire project, the plan should not repeat any information that is available elsewhere, for example, in SOPs. Rather, it should refer to established documentation. Regularly updating and reviewing template documents is required to make sure that all the latest regulations are incorporated with newly introduced company policies.

The validation master plan (VMP) is a detailed schedule that summarizes a company's overall strategy for established performance according to predetermined standards for a defined system, process, laboratory or manufacturing facility. All systems need defined specifications and all testing activities should relate to these parameters. A general checklist is outlined in the sidebar "VMP programme checklist."

Whenever manual procedures are replaced with automated systems, it is advisable to simultaneously use both as part of the testing and validation process for a short period of time. In all upgrades, it is important to have a contingency plan in case activities become delayed or any process fails its validation testing.

Legacy systems. A particularly challenging area for drug manufacturers is the issue of legacy systems - the older components of a company's drug development infrastructure, which perhaps have been superseded and/or do not comply with current regulations, and may need updating and rationalizing. Examples include automated instrumentation with associated hardware and software; the systems and protocols used to measure and demonstrate the quality, efficacy and safety of a drug; and the maintenance of data and records.

With automated systems, the automation process itself, as well as the actual assay protocol, has to be validated. A drug company is expected to qualify its analytical instruments, including control software, according to principles and guidelines conforming with accepted GxP regulations. The FDA Electronic Records and Signatures regulation, 21 CFR Part 11, has been imposed on companies working under GxP conditions to provide criteria for the acceptance of electronic records and signatures. The regulation is intended to prevent fraud, manipulation of electronically generated data and to provide reliable electronic signatures, hence speeding up product release and the handling of GxP records. It also aims to ensure that electronic submissions to FDA are consistent, as well as promoting the introduction of new technology.

Outsourcing validation

Complying with regulations and validating procedures can be complex and time consuming, accounting for more than 10% (experience-based value) of the total cost of a plant expansion project. The task can be simplified by outsourcing to a third party (vendor).

Vendors. Many companies rely on vendor supplied information and test data, some even outsource the entire validation process. This, however, can pose a risk unless vendors are adequately screened. All potential vendors should be subject to a formal evaluation (see sidebar "Vendor qualification checklist") and, if selected, should enter into a formal agreement that clearly outlines the responsibilities of that company.

A vendor must have superior technical knowledge of regulatory compliance and validation procedures; must be actively involved in regulatory issues; have a thorough knowledge of GxP and validation support; maintain contacts in regulatory areas; and have comprehensive experience of maintaining validated systems. Additionally, the vendor should be a good source of advice whenever compliance issues are raised.

It is important that vendors are able to provide validation support on a long-term basis and should, therefore, have a strong financial background with qualified and technically competent staff. The vendor should also operate to quality standards such as ISO - an internationally accepted quality management system verifying that an organization operates in accordance with stipulated principles.

Software. For software-controlled systems, the software quality assurance system (SQAS) should be a major factor in evaluating the capability of the vendor. The evaluation will depend on whether the product is a standard off-the-shelf product or one that is customized. Although many vendors claim to deliver compliant systems, there are no systems available today that can meet current regulations without appropriate administrative controls (training, purchasing, password handling) and procedural controls (operating procedures, information handling, backup and restore data, and change control procedures). It is also important to establish the vendor's knowledge and status of 21 CFR Part 11.

Product supply. For product supply, the vendor must be able to provide deliverables in terms of technical specifications, test reports, instrument and maintenance manuals. It should also be able to explain exactly how long any one version of an instrument can be supported, and the control procedures involved in changing from one instrument or software version to another.

The vendor must supply validated systems that meet current regulatory requirements, including electronic records security, and ensure a proper installation and operational qualification programme to make sure that the system is installed correctly and operates as specified on site. All necessary documentation should be available for inspection and review during on-site audits.

Conclusion

Validation is required for regulatory compliance and can be a time consuming and expensive business.

It requires expert knowledge of compliance requirements and a management-led surveillance and implementation programme.

Often, suitable and qualified vendors can play a significant role in assisting companies achieve compliance as well as taking responsibility for conducting validation studies on behalf of their systems, significantly reducing the time and work involved. A well organized and maintained compliance and validation programme, in addition to providing peace of mind, will help to avoid regulatory authority intervention - ultimately leading to faster product approvals, quicker return on investments and uninterrupted returns for products already on the market.