Sunday, December 9, 2018

FDA Puts Santa on the Naughty List!



December 1, 2018

Mr. Kris Kringle, Owner
Santa’s Workshop, LLC
1225 Santa Clause Way
North Pole, Arctic Circle
Dear Mr. Kringle:

The U.S. FDA inspected your manufacturing facility, Santa’s Workshop, LLC at
1225 Santa Claus Way, North Pole Arctic Circle, from April 2 to April 20, 2018.

This warning letter summarizes significant violations of CGMP regulations for finished product. See 21 CFR, parts 210 and 211. During our inspection, our investigators observed specific violations including, but not limited to, the following.

CGMP Violations

1.    Your firm failed to ensure that each person engaged in the manufacture, processing, packing, or holding of product has the education, training, and experience, or any combination thereof, to enable that person to perform his or her assigned functions (21 CFR 211.25(a) and 211.28).

Many members of your Enterprise Labor Force (ELF) unit lacked sufficient prior experience for designing and assembling (b)(4). At the time of our inspection, no ELF members had received training on CGMPs, and most were unaware of their responsibilities in the areas of cleanliness and proper attire. Hands and faces were often coated with chocolate, and bells on hats and shoes prevented protective apparel from attaining a proper fit. More generally, factory staff demonstrated an undisciplined, almost gleeful disregard for quality procedures. On three separate occasions, at critical stages of the manufacturing process, floor workers erupted into spontaneous song and dance.

Your written response of May 18, 2018 is inadequate because it does not address these training and experience deficiencies. While endearing, the ability to “sit on a shelf” or “live in a hollow tree” does not constitute acceptable manufacturing experience. Candy coating does not qualify as protective covering. And sticking one’s hands in a nearby snowdrift is not a recognized sanitation procedure. “Pure as the driven snow” is not a thing. Especially with all those reindeer knocking about.

2.    Your firm failed to maintain a system by which the distribution of each lot of product can be readily determined to facilitate its recall if necessary (21 CFR 211.150(b)).

Product distribution records were incomplete and, in the event of a recall, would be insufficient to identify all product recipients.

Your written response of May 18, 2018 is inadequate. Santa’s Own Procedures (SOPs) are insufficient to capture the information required to conduct a thorough recall.  Mr. Kringle may well know which customers are naughty and which are nice -- who’s good, who’s bad, who’s sleeping, and who’s awake, but this information is not written down and, in the opinion of our investigators, would be of limited value if it were.

3.    Your firm failed to store product at an appropriate temperature to ensure the identity, strength, quality, and purity of the products are not affected (21 CFR 211.142(b)).

Entire sections of the facility lacked effective air conditioning, resulting in destruction of all (b)(4) warehoused in two large storage rooms. A third inadequately cooled room was not in use, and except for some miscellaneous items – a couple hunks of coal, a corncob pipe, and a large, oddly sad puddle of water – the room was all but empty.

Your written response of May 18, 2108 was inadequate. FDA isn’t really sure what to do with “that old silk hat we found” in your response package.

4.    Products failing to meet established standards or specifications and any other relevant quality control criteria shall be rejected. Reprocessing may be performed (21 CFR 211.165(f)).

While not strictly a violation of 21 CFR 211.165(f), the rejection and quarantining procedures your firm follows for products that fail to meet established criteria is concerning. While it’s appropriate to reject a (b)(4) that swims, a (b)(4) with square wheels, a (b)(4) that shoots jelly, and a (b)(4) that rides an ostrich, exile to a remote island ruled by a flying lion is, in a word, extreme. Your firm also rejected and exiled a (b)(4)-in-a-box for what was almost certainly an easily remediated labeling problem; reprocessing would have been a more appropriate course of action. Also, we just have to know. Seriously. WHAT WAS WRONG WITH THE DOLLY???

5.    Your firm failed to establish adequate acceptance criteria for sampling and testing necessary to assure that batches of product meet appropriate specifications as a condition of their approval and release (21 CFR 211.165(d)).

Sampling procedures consisted of pulling each finished batch of (b)(4) out of a hot oven, taking a few nibbles, and declaring it “Jingle-icious.” Testers would frequently adulterate samples by submersing and saturating them with milk. These procedures are totally without scientific rigor. Furthermore, sampling was not restricted to members of the Quality Control Unit, but was extended to the entire plant floor. At times, sampling frequency was so high that there was very little, if any, of (b)(4) left to distribute. (On a personal note, our investigators would like to express their appreciation for the opportunity to participate in the testing activity. All the batches they sampled exceeded the strictest statistical quality control criteria, excepting the fruitcake, which could have benefited from additional stability testing and an earlier expiry date.)


Violations in this letter are not intended as an all-inclusive list. Typically the manufacturer is responsible for investigating violations, determining their root causes, and preventing their recurrence. However, in this case we’re going to make an exception. Though your methods and procedures are unconventional and frequently out of compliance with regulations, they are not wholly without merit. Our investigators have never experienced such a high level of workplace morale -- some calling it “downright merry” – and believe it warrants further observation. Investigators have suggested a series of mutually consultative visits to your workshop. Music, dance, batch samples, reindeer games, and the occasional adulterated eggnog are highly encouraged.

Holly Bush
Division Director/OPQO Division I
North Pole District Office

Monday, October 15, 2018

The One-Hour Study Site Audit

In an effort to tease out the priorities of a clinical study site audit, I asked six of our most experienced GCP auditors the following question:

If you only had one hour to conduct a study site audit,
what would you look at?

[Obligatory warnings:  Do not try this at home. This is just a simulation. Caveat lectorem. Dinosaurs in the mirror are bigger than they appear. Et cetera.]

Of course it’s not possible to conduct any kind of meaningful audit in so short a time, but it’s an interesting thought exercise because it gets to the heart of study site risk. In order to respond to this question, the auditors needed to ask themselves:
(1) What are the greatest site risks to a study?
(2) Where can evidence be found that those risks are being managed?
Answering the first question is pretty easy. The very first paragraph of ICH E6(R2) tells us “Compliance with this standard provides public assurance that the rights, safety and well-being of trial subjects are protected…and that the clinical trial data are credible.” So there it is: the reason GCP exists. When we conduct clinical research, our highest priorities are human subject protection and data integrity. It follows, then, that jeopardizing these obligations is our greatest risk.

So with only an hour to evaluate whether a study site is managing these risks, we can move on to the second question. What would our audit (now referred to as “hour audit”) look like?

IRB Approvals

Hour Auditor has decided to spend the first twenty minutes at the site reviewing IRB approvals. Are all of the IRB approval letters in the Investigator Site Files (ISF)? Is the protocol that’s being executed the same version that the IRB approved? Have the protocol amendments and all of the associated Informed Consent Forms (ICFs) also been approved?

Missing approval letters aren’t necessarily the end of the world. It’s quite possible that the required approvals are sitting on the sponsor portal, having been received from a central IRB. Their absence from the ISF could just be a clerical error. However, it’s a first-order finding if the site was responsible for getting approval from its local IRB and failed to do so. The IRB would have to be notified. The FDA would have to be notified. Without review and approval from an ethics body, the safety of study participants is jeopardized and their rights violated. Everything stops.

Informed Consent

With forty minutes left to go, Hour Auditor spends the next twenty minutes reviewing participants’ ICFs. The selection of these participants may be random or targeted, depending on the results of the IRB approval review. Has each participant signed every applicable version of the ICF? Were they signed before any associated study procedures were conducted? If not, was the delay noted in the subject notes? How was the situation remedied? Was there a CAPA to ensure that any other incidents were corrected and future occurrences prevented? Was the IRB informed?

Inclusion/Exclusion Criteria

Now down to the final twenty minutes, Hour Auditor asks to see the Inclusion/Exclusion (I/E) criteria for two screened and enrolled participants. Most likely, the particulars of the study -- the vulnerability of the patient population, the therapeutic area, and the protocol complexity, among other things -- would drive the selection.

We’re running out of time, and this could be our final stop. With so much else to look at, including source data, IP accountability, staff qualification and training, and Adverse Events reporting, why focus on I/E criteria? Because they give us a glimpse of many aspects of study conduct all at once. When a site can assess complex I/E criteria correctly, it demonstrates protocol compliance and a commitment to producing reliable study data. Examining I/E criteria also gives Hour Auditor a chance to assess source data quality and provides further assurance of subject safety.

Best Laid Plans
As with any audit, particular findings at any step could (and should) alter the plans for this one-hour visit. If the ICF review left Hour Auditor concerned about fundamental flaws in the IC process, the rest of the audit might be spent trying to determine the extent of the problem. An incidental discussion could raise red flags about staff proficiency that may have Hour Auditor poring through protocol training records or scrutinizing the Delegation of Authority log. (Plus, Hour Auditor really, really wants to take a peek at the IP accountability records, and so may find a reason to do so*.)

The point of this thought exercise was to consider (1) the obligations of the clinical research industry to protect subjects and produce reliable data, (2) where the biggest risks to that obligation lie, and (3) how site audits should be prioritized to ensure those obligations are being met and those risks are being managed.


*The auditors involved in this discussion did their best to honor the absurdly artificial time constraint I gave them. That meant foregoing activities no self-respecting auditor could bear to forego. This paragraph recognizes some of those activities. (Thank you all. I know this hurt.)

A version of this article originally appeared in InSite, the Journal of the Society for Clinical Research Sites.

Alarm Clock Image via Good Free Photos

Monday, August 13, 2018

What Suprises GCP Auditors?

Last month, I scheduled one-on-one discussions with our most experienced GCP auditors to ask each of them the same question: What surprises you most about the audits you conduct?

I guess you could say that I was the one who was surprised. I’m not sure exactly what I was expecting to hear, but I thought my teammates were going to talk about things that were new. Instead, I heard a lot more about things that have been around for a long time. To a person, my colleagues said they were surprised to be observing some of the same audit findings they were observing 30 years ago...which *is* surprising when you consider most of them were mere children at the time. ;-)  It seems we have some stubbornly persistent quality and compliance issues in the biopharma industry that decades of neither experience nor technology have seemed to remedy. And the problems are not just persistent; they’re interrelated.

Tuesday, July 10, 2018

Hackin' the GDPR

Trying to comply with the GDPR got you down?
Maybe our parody will cheer you up.

(Sung to the tune of Lennon-McCartney's "Back in the U.S.S.R.")

Monday, May 14, 2018

eSource Terminology Untangled

True or False:

(1) eSource in clinical trials means eliminating the possibility for transcription errors.

(2) Data collected in Electronic Data Capture (EDC) systems is eSource.

Strictly speaking, both statements are false. If that surprises you, it’s probably because many casual uses of the term “eSource” actually differ from the formal definition laid out by FDA. If the participants in any discussion share the same interpretation of “eSource”, or if it’s clear from context how “eSource” is being used, then no harm, no foul. (Contemporary translation: “Meh.”) BUT…and you know where we’re going with this…when a term can be interpreted in multiple ways, there’s always a possibility for miscommunication and cross talk.

Monday, March 19, 2018

Delegation of Authority Log: Tips for Monitors

We may call them “site inspections”, but it’s not the site that’s being inspected when a regulator visits; it’s the Principal Investigator. Though a PI typically delegates study tasks to other staff members, he or she remains solely responsible for the conduct of the study. In fact, the ICH E6(R2) addendum adds two new sections to the international guidance that emphasize PI supervision.

That’s what makes the Delegation of Authority (DoA) log so important and why regulatory inspectors care about it so much. A DoA log serves as evidence that a PI has assigned study tasks only to those staff members with the education, training, and experience to carry them out. If delegates are unqualified to perform their tasks, subject safety could be at risk and it’s highly likely that the study data would be unusable.

Monday, January 15, 2018

Study Sites: Show 'Em Your QC!

Sites frequently want to know how they can stand out to Sponsors and CROs to win more studies.
Our advice: Implement internal QC procedures.

Sponsors and CROs we work with consider a tight quality control program to be evidence that a site can be counted on to produce reliable data. It shows that managing quality at your site is a continual process, and doesn’t wait for monitors to arrive. In a risk-based monitoring environment, this is an increasingly compelling attribute.

Where to Start: The Usual Suspects
It makes sense for you to focus your QC efforts on those areas where you’ve historically had the most problems. If the phrase “trend analysis” makes you want to jump through a window -- it's okay -- you can climb back inside. You don't have to do a trend analysis. We've identified 3 areas in which audit findings are common and how you can avoid them.