Services: Compliance Assurance-Pharma

For Pharmaceutical Industry

Medical Device Cybersecurity

For medical device manufacturers, technology can be a double-edged sword. The technologies that elevate the quality of life for patients can be used by cybersecurity bad actors to potentially harm patients or undermine the organization using the device as well as the device itself. RCA’s medical device consultants have seen the vast interconnectivity of medical devices widen the attack surface of the public health sector. Intrusions and breaches are possible because of weaknesses in a medical device’s cybersecurity design.

 

Medical device vulnerabilities that are not identified and remediated before the device goes to market can serve as access points for entry into a health care facility’s network, which leads to compromising data confidentiality and integrity as well as potential patient safety.

 

That said, security now needs a seat at the design table, accompanied by its own list of requirements. Many cybersecurity weaknesses are a result of poor design choices and lack of clear requirements. Having a security expert who is familiar with medical device cybersecurity and device development should review the requirements. Many RCA medical device consultants can uncover architecture security vulnerabilities, which can be mitigated during development long before the product goes into manufacturing.

 

The strongest cybersecurity risk control is to use secure by design principles to eliminate the vulnerabilities. The next strongest risk control category is a protective system where the security threat can be detected, responded to, and recovered, so the risk does not materialize. The weakest cybersecurity risk controls are labelling and instructions. All three of these categories of risk controls can be used to manage cybersecurity risks in medical devices.

 

Effective security by design depends on the ability to understand and stay on top of cybersecurity issues to maintain the safety and security of devices, data, and users. One of the biggest challenges with medical device development is infrastructure diversity. Devices are designed, manufactured, configured, and deployed using various programming languages, operating systems, databases, networks, and hardware platforms. This means vulnerabilities can be anywhere.

 

One common issue that can lead to vulnerabilities is when devices still use legacy operating systems that are no longer supported by the companies that developed them. Health care organizations can mitigate these vulnerabilities by restricting access and monitoring for threats on the network where the device is connected.

 

It is not possible to have a completely secure device. But with a well-planned design along with full visibility of product development and the supply chain, companies can strengthen their device’s security posture. Also, cybersecurity must be monitored and maintained throughout the device’s life cycle. As new vulnerabilities are discovered, the device will require cybersecurity patches and updates. Just because something is not exploitable today does not mean it will not be exploitable in the future.

 

The following resources identify specific areas to focus cybersecurity efforts throughout the product’s life cycle.

 

International Medical Device Regulators Forum (IMDRF)

 

The IMDRF published the guidance “Principles and Practices for Medical Device Cybersecurity.” The document provides recommendations to help all stakeholders minimize cybersecurity risks across the product’s total life cycle. According to the guidance, medical device cybersecurity is a shared responsibility among all stakeholders, including the manufacturer, health care providers, users, and regulators. All stakeholders must understand their responsibilities and work closely with one another to continuously monitor, assess, mitigate, communicate, and respond to potential cybersecurity risks and threats throughout the life cycle of the medical device.

 

Technical Information Report 57 (TIR57) and TIR97

 

TIR57 is a cybersecurity standard for medical devices. The guidance, titled “Principles for Medical Device Security—Risk Management,” was published by the Association for the Advancement of Medical Instrumentation (AAMI). It provides recommendations on integrating cybersecurity risk management into the overall development of the device. TIR57 is closely modeled after ISO 14971 for safety risk management, which specifies the terminology, principles, and processes for risk management of medical devices.

 

TIR57 also works in conjunction with TIR97, which provides guidance for addressing postmarket security risk management within the risk management framework defined by ANSI/AAMI/ISO 14971. Both TIR57 and 14971 touch on the postmarket phase at a high level. TIR97 expands on the foundation established in TIR57 and focuses on establishing security risk management for the postmarket phase of the product’s life cycle.

 

Recognizing the need for protection of medical devices in an increasingly digitized world, the U.S. Food and Drug Administration (FDA) added TIR57 to its list of recognized consensus standards. Device manufacturers who implement it can expect to have all the information expected by the FDA in place for premarket submissions.

 

NIST Framework for Improving Critical Infrastructure Cybersecurity

 

The National Institute of Standards and Technology (NIST) is an agency within the Department of Commerce that promotes innovation for enhancing science, business, technology, and economic security. The organization produced a document called the “Framework for Improving Critical Infrastructure Cybersecurity,” which assists companies in improving the security of their infrastructure.

 

The framework is useful for any organization no matter what type or level of cybersecurity it currently employs. The framework is not intended to replace a company’s current cybersecurity strategy. Instead, it advises organizations on identifying their current cybersecurity posture, determining a target state for cybersecurity efforts, and developing a plan for progressing toward the target state.

 

Open Web Application Security Project (OWASP)

 

OWASP is a nonprofit organization that works to improve the security of software. The OWASP Top 10 is a standard awareness document for developers that provides information about the most current critical security risks to web applications. As part of their approach to security, companies can incorporate the OWASP findings and recommendations into their security practices. The OWASP list is routinely updated to stay up to date with the ongoing advances in technology.

 

FDA Cybersecurity Recommendations

 

According to the FDA’s guidance on premarket submissions for cybersecurity, a trustworthy medical device:

 

  • Contains hardware, software, and/or programmable logic that is reasonably secure from cybersecurity intrusion and misuse.
  • Provides a reasonable level of availability, reliability, and correct operation.
  • Is reasonably suited to performing its intended functions.
  • Adheres to generally accepted security procedures.

 

The agency’s Quality System Regulation (QSR) suggests that software device manufacturers employ a risk-based approach to the design and development of medical devices, which includes setting up appropriate cybersecurity protections. Using this approach, the FDA encourages device manufacturers to:

 

  • Identify assets, threats, and vulnerabilities.
  • Assess the impact of threats and vulnerabilities on the device’s functionality, end users, and patients.
  • Assess the likelihood of a threat as well as the likelihood of a vulnerability being exploited.
  • Determine risk levels and suitable mitigation strategies.
  • Evaluate residual risk and risk acceptance criteria.

 

Implementing these design controls improves the likelihood that the FDA will find your device meets its applicable statutory standard for premarket review.

 

To effectively combat the ongoing cybersecurity threats, companies should have a clear definition of responsibilities for all relevant stakeholders regarding infrastructure, policy development, and communication. To achieve this, regulatory agencies along with cybersecurity experts strongly advocate effective and unified collaboration across the enterprise. Using a platform-based quality management system (QMS), companies easily manage design control, risk, changes, suppliers, etc. from a single platform. This way, all stakeholders can have an appreciable impact on the transformation of the product throughout its design, development, and postmarket life cycle.

 

Follow the link to read the full article where we go over specific areas to focus cybersecurity efforts throughout the product’s life cycle as well as FDA Cybersecurity Recommendations.

 

About RCA’s Medical Device Services

 

The regulatory compliance process surrounding the medical device industry involves a strict adherence to pre/post market information throughout a device’s life-cycle. Even a single compliance issue you have can turn into a significant effect on your business. Regulatory Compliance Associates medical device consultants can help guide you through any stage of this strategic process, with capabilities during product development through the regulatory clearance/approval of your product.

 

Our team of over 500 medical device consulting Experts — including former FDA officials and regulatory compliance leaders in the field of medical device regulation — will work with your company to create a quality assurance and regulatory compliance approach tailored to your products and regulatory needs. Regulatory Compliance Associates works with international Fortune 100 companies, venture capital start ups, and companies of all sizes and shapes. our compliance enforcement solutions for law firms include remediation for warning letters, FDA 483’s, import bans or consent decrees. Very few regulatory compliance services have the same regulatory compliance expertise in a variety of medical fields.

 

Cybersecurity

 

For medical device manufacturers, technology can be a double-edged sword. The innovative technologies that elevate the quality of life for patients can also be used to potentially undermine the organization using the device. The consequences can affect the device itself if Regulatory Compliance Associates medtech consultants do not implement good IoT cybersecurity and FDA cybersecurity protocols.

 

At Regulatory Compliance Associates, we offer a wide variety of services for medical devices security to help ensure that your product is protected from cyber-attacks. With a well-planned design, along with full visibility of product development and the supply chain, Regulatory Compliance Associates medical device consultant Experts can help strengthen your device’s cybersecurity. We partner with medical device companies in each phase of the design cycle, including protecting inputs from threat exposure and hardening outputs for regulatory compliance & FDA submission approval of your medical technology.

 

Regulatory Affairs

 

Regulatory affairs is Regulatory Compliance Associates® backbone, and we handle more submissions in a month than many manufacturers do in a lifetime. Our regulatory compliance consulting Experts have experience working with the FDA, global regulatory bodies and / or agencies, and notified bodies worldwide. Therefore, you can count on us for in-depth and up-to-date insights which increase speed-to-market.

 

As a trusted regulatory affairs consultant, our FDA veterans and industry experts represent Regulatory Compliance Associates® as one of the top medical device consulting firms. We’re here to help you navigate the difficulties associated with new product submissions. Regulatory Compliance Associates® medical device consulting company has expertise in both the approval process and post-approval support. 

 

  • New Product Approval
  • Post-Approval Support
  • Outsourced Staffing
  • EU MDR
  • Combination Products

 

Compliance Assurance

 

Increasingly, life science companies are feeling the pressure of greater scrutiny by regulators, and responding by developing sustainable compliance strategies. Whether it’s preparing for an audit, developing a response to an FDA finding, or remediation to an adverse event, Regulatory Compliance Associates® can help.

 

Our network of over 500 medical device consultant & FDA, MHRA & EMA veterans are industry professionals offers a unique blend of expertise. This allows Regulatory Compliance Associates® to handle both simple and complex regulatory compliance challenges within medical device consulting companies.

 

  • Gap Assessments
  • Internal Audits
  • Employee Training
  • Notified Body Response
  • Data Integrity

 

Quality Assurance

 

Regulatory Compliance Associates® Quality Assurance consulting includes quality system assessments, strategy, implementations, and identification of quality metrics to ensure continuous improvement, aligning with your business needs and goals. Each Regulatory Compliance Associates® medical device consultant is a quality expert with experience spanning major corporations and start-ups. We know firsthand how to achieve, maintain, and improve quality, and we excel in transferring this knowledge to your organization.

 

In the medical devices field, quality assurance (QA) is more than merely ensuring the quality of a finished product. You need the tools to monitor and regulate every process from the design of a new product to continued quality compliance as the device is sent to market. At Regulatory Compliance Associates®, we offer you the quality assurance services you need to monitor these processes and ensure quality compliance every step of the way.

 

With more than 20 years experience working with medical device consulting companies, Regulatory Compliance Associates® trusted medical device quality assurance consultant team is fully equipped to handle your unique QA needs.

 

  • ISO13485 
  • 21 CFR 210
  • 21 CFR 211
  • Outsourced Staffing
  • MDSAP
  • Facility Validation
  • Equipment Validation
  • Quality Metrics

 

Remediation Support

 

Regulatory Compliance Associates® is widely recognized within medical device consulting companies & the life science industry for remediation support. Regulatory Compliance Associates® ability to help companies successfully resolve complex regulatory challenges have a proven track record of success. Our medical device consulting services include significant experience with the development of responses to 483 Observations, Warning Letters, Untitled Letters and Consent Decrees.

 

  • Regulatory Action
  • Regulatory Compliance
  • Regulatory Enforcement
  • Warning Letter
  • 483 Observation
  • Oversight Services

 

Our value goes beyond the initial response by helping companies successfully execute their action plans, develop an improved compliance culture tailored to the needs of their business, and ultimately move beyond the regulatory action to emerge as a stronger business. We negotiate difficult demands of remediation with insight and the clear advantage of our medical device consultant expertise and experience that makes partnering with Regulatory Compliance Associates®  a competitive differentiator in the remediation space.

 

  • Quality System
  • Technical File
  • Design History File
  • Data Integrity
  • cGMP

 

Strategic Consulting

 

Whether it’s a strategy, a technical plan, or project, Regulatory Compliance Associates® medical device consultancy can help ensure a successful project. Regulatory Compliance Associates® medical device strategy consulting can deliver your project on time, on budget, and you’re never embroiled in a costly mistake.

 

Our medical device consultant Experts are industry Experts are here to provide the unique insight you need before an M&A deal, through a staffing crisis and in every area of your product’s development and life cycle. As the trusted medical device manufacturing consultants of thousands of companies around the world, we have the knowledge and expertise needed to deliver exceptional results to your business — no matter your size or unique needs.

 

  • Manufacturing Optimization
  • Product Lifecycle Management
  • Mergers & Acquisitions (M&A)
  • Due Diligence
  • Device Vigilance
  • Risk Management Plan
  • Product Complaints
  • Medical Information

 

About Regulatory Compliance Associates

 

Regulatory Compliance Associates® (RCA) provides medical device consulting to the following industries for resolution of life science challenges:

 

 

We understand the complexities of running a life science business and possess areas of expertise that include every facet of R&D, operations, regulatory affairs, quality, and manufacturing. We are used to working on the front lines and thriving in the scrutiny of FDA, Health Canada, MHRA and globally-regulated companies.

 

As your partners, we can negotiate the potential minefield of regulatory compliance and regulatory due diligence with insight, hindsight, and the clear advantage of our unique expertise and experience.

 

  • Founded in 2000
  • Headquartered in Wisconsin (USA)
  • Expertise backed by over 500 industry subject matter experts
  • Acquired by Sotera Health in 2021

 

About Sotera Health

 

The name Sotera Health was inspired by Soteria, the Greek goddess of safety, and reflects the Company’s unwavering commitment to its mission, Safeguarding Global Health®.

 

Sotera Health Company, along with its three best-in-class businesses – Sterigenics®Nordion® and Nelson Labs®, is a leading global provider of mission-critical end-to-end sterilization solutions and lab testing and advisory services for the healthcare industry. With a combined tenure across our businesses of nearly 200 years and our industry-recognized scientific and technological expertise, we help to ensure the safety of over 190 million patients and healthcare practitioners around the world every year.

 

We are a trusted partner to more than 5,800 customers in over 50 countries, including 40 of the top 50 medical device companies and 8 of the top 10 pharmaceutical companies.

 

Commitment to Quality

 

Our Certificate of Registration demonstrates that our Quality Management System meets the requirements of ISO 9001:2015, an internationally recognized standard of quality.

 

To begin the Regulatory Compliance Associates® scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 

 

Internal Audit

Q: I am in charge of the internal audit program at my company and am wondering if you have any suggestions on how I can make this activity more valuable for my company?

 

A:  Internal audits are part of management responsibilities (1–3) and can provide valuable information and offer many benefits to an organization. The information obtained during the audit can be used in many ways to help your organization grow and continually improve its operations. How you approach the internal audit function will help the organization understand the advantages of supporting an effective, well-run internal audit program.

 

If designed and implemented appropriately, internal audits can provide valuable information that can be used to prevent issues before they become compliance concerns during a regulatory inspection. Issues can be identified and corrected before the regulatory authorities or current/potential clients identify them. If these issues can’t be completely remediated before an external audit, a plan to correct them can be established and action taken to mitigate them. Having corrective actions in place before others identify the issue may lessen the impact of the observation and instill confidence that your quality system is under control and there is a process in place for continuous improvement. In addition, the internal audit can be used for training staff and communicating valuable information to the organization.

 

The object of an internal audit is not to pretend to be the regulatory authority and show up unannounced but rather to work in cooperation with your colleagues to identify and solve potential issues. An effective program establishes a partnership between the audit function and the departments being audited. The ideal tone for an internal audit should be a team-oriented activity that is instructive, informative, open, honest, and inclusive.

 

There are several factors that help contribute to establishing this tone. One way to set the proper tone is to publish the audit schedule in advance and make sure the functional areas are informed of the schedule. The audit itself should be forward thinking and unlimited in scope. The auditors should work with the functional area and talk with as many employees as possible to identify the issues of concern. Individuals who are responsible for performing the day-to-day activities often have the best insight as to what is working and what needs to be improved. Excluding them from participating in the audit process might result in overlooking a serious issue that could come up during a regulatory inspection.

 

To be able to get the most valuable information about the potential compliance issues facing the organization, internal audits should not be judgmental or antagonistic, or have a ‘check the box’ mentality in execution. They should also avoid looking retrospectively in lieu of looking forward.

 

The behavior of the auditors during the audit is also important to obtaining valuable information. Auditors should be direct and avoid asking questions designed to stump people. The auditors should take this opportunity to teach by explaining why they are asking particular questions and providing the regulatory citation for the inquiry. Another important behavior is the ability to listen to the answers to the questions and refrain from judging. The auditor should adopt a proactive approach to the audit and look at items that are infrequently assessed. Above all else, the auditor needs to be friendly.

 

The exact same behavior defined for the auditor should also be the exact same behavior displayed by the auditees. Auditees should be direct and avoid deflecting or obfuscating answers. They also need to be instructive and take the time to explain why they do things the way they do them. They need to listen to the auditor’s concerns and not overreact to the question being asked. They should be proactive and point out things of concern and seek advice on how to remediate them. Both parties need to remember they are not the enemies, rather they are the partners.

 

Internal audits are a valuable tool for identifying issues before others identify them. The information obtained during the audit can be used to improve your processes, and the audit process itself can be another tool to help train employees. If you consider the internal audit as a gap analysis for your processes and set a tone of partnership and cooperation, you will find that the audit program and the information obtained from it will become a valuable resource for the organization rather than an unwanted intrusion into operations.

 

 

internal audit

 

Article Details

Pharmaceutical Technology
Vol. 41, No. 4
Page: 74

 

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 

 

FDA Investigation Timeliness vs. Thoroughness

 
Q. I have just been promoted to be in charge of investigations for my company. Our standard operating procedure (SOP) requires us to complete an FDA investigation in 30 days. Depending on the nature of the investigation and to meet the SOP requirement, I have started to close investigations at the 30-day time point even though I think the investigation might not be complete. Sometimes I have had to re-open investigations because the problem recurs, confirming that the investigation was not completed. Do I have a compliance risk if I continue with this practice?

 

A. The short answer is yes, you have a compliance risk. You probably also have a data integrity issue and a quality culture issue to accompany your compliance risk. There is no time element associated with conducting an internal investigation. Thirty days is an arbitrary number pharmaceutical companies impose on themselves. There are very specific deadlines associated with an FDA investigation you need to pay close attention to.

 

The US Code of Federal Regulations states

 

“… if errors have occurred, that they have been fully investigated” (1), and “Any unexplained discrepancy … shall be thoroughly investigated, whether or not the batch has already been distributed”

 

Europe’s EudraLex also addresses investigations by stating,

 

“An appropriate level of root cause analysis should be applied during the investigation of deviations …”.

 

None of these citations indicate a time for completion of an investigation. What they do imply is that investigations need to be thorough and determine root cause. In some cases, the investigation and root cause can be easily determined in the defined SOP time frame of 30 days.

 

In other cases, the investigation may be more complicated and could exceed the time frame requirement of 30 days. To address this potential discrepancy, your SOP should allow for FDA investigation extensions if possible. The length of the extension request should be made based on the complexity of the investigation.

 

Data Integrity Problems

 

When an investigation is rushed, the organization leaves itself vulnerable. Suppose, for example, you have a second shift manufacturing operator who continually forgets to sign a step in the batch record for a specific product. This operator is the only one who seems to have this issue. Your initial investigation into the first occurrence of the issue determines a root cause of human error.

 

Because the operator works on the second shift, it is inconvenient to interview him directly, so you rely on the word of his supervisor that this was just a case of human error. You decide to retrain the operator on the proper use of filling out the form and skip the operator interview in order to complete the investigation and perform the retraining in the allotted 30-day time frame.

 

A few weeks later, the same operator makes the same mistake. You review the previous investigation, arrive at the same conclusion, and perform the retraining of the operator emphasizing the importance of correctly filling out the batch record. This scenario repeats itself 10 times over the course of four months. You finally decide to question the ability of the operator to do the job correctly and bring your concerns to management that this behavior could lead to an FDA observation.

 

Your boss asks if anyone has interviewed the operator directly to find out why he is having this issue with the batch record. You say no, that you have relied on the opinion of the supervisor. The boss recommends you interview the operator before demoting him.

 

When you talk to the operator, he informs you that in order to sign the batch record when it needs to be signed, he needs to exit the aseptic core, degown, sign the batch record, and regown, leaving the product unattended during that time.

 

The operator tells you he chose to stay with the product and sign the batch record later but sometimes forgot after the manufacturing run. In this simple exchange with the operator you realize that the root cause of the repeat deviation is not a result of human error but a result of poor process flow. These are the kind of mistakes an FDA investigator will definitely find during an FDA audit of a pharmaceutical manufacturer. 

 

The question you need to address now is how were other operators handling the situation? Only by understanding how widespread the issue is can you conduct an accurate gap assessment. By not taking the time to perform the initial investigation thoroughly, you have created a data integrity nightmare because you now need to review all the batch records completed by the other operators to determine if the product is still acceptable.

 

Admittedly, this is a simplistic example, but it certainly exemplifies the importance of opting to perform a complete and thorough investigation over meeting an artificially imposed time frame. Explaining to an inspector during an audit that you didn’t perform a thorough investigation because you needed to meet an arbitrary time frame is not a position you want your company to be in. You also don’t want to explain why you closed an investigation to meet the time frame and then felt compelled to reopen it after the batch was released because you had concerns about its conclusions.

 

Quality over brevity

The other element that needs to be addressed is that of the prevalent culture existing in the organization. It is good to set a time goal for FDA compliance activities performing investigation, thus ensuring their timely completion. It is not acceptable to have the time frame be the driving force behind the investigation.

 

Management needs to emphasize their commitment to having thorough investigations as opposed to being unprepared for an FDA investigation. It is ideal when an investigation is completed and a true root cause identified in the specified time frame but, if that is not achievable, management needs to be clear that they prefer the identification of the true root cause over the rushed investigation that merely checks the box for completion in a timely manner. Without this management commitment, the premature closing of investigations will likely continue.

 

Investigations need to focus on determining root cause in a timely manner. The length of time it takes to complete an investigation depends on the complexity of the investigation. The primary driver for avoiding compliance and data integrity risks concerning investigations is arriving at a root cause in a timely manner. This allows you to be confident in presenting your investigations during inspection and avoiding unnecessary scrutiny when the investigation is rushed and a conclusion is reached prematurely.

 

regulatory compliance

 

Pharmaceutical Technology
Volume 42, Issue 12, pg 50, 49

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 

 

Root Cause Analysis and Deviations

Experts Steven J. Lynn, executive vice-president, Pharmaceuticals for Regulatory Compliance Associates, Inc., and Susan J. Schniepp, distinguished fellow for Regulatory Compliance Associates, Inc., provide simple answers to frequently asked questions regarding deviation investigations.

 

Q. What is a deviation & do all deviations need a root cause analysis?

 

A. A deviation is when there is a failure to follow the instructions guiding the performance of an activity. The purpose behind understanding a standard deviation is critical to execute for optimal results. Simply put, deviations result from people not following their standard operating procedures (SOP) and is often the root cause analysis of many quality problems.

 

For example, deviation meaning can often be based on work instructions or batch record instructions. A root analysis often starts with documents that explain how a team performs certain functions or tasks. Deviation investigations related to non-compliance look to determine the root cause of the problem. While not all SOP deviation issues are equal in their impact on root cause, any quality deviation should be investigated. The basics of this investigation is historically considered the “five whys”  (or 5whys). 

 

Q. What is a planned deviation?

 

A. In our opinion, there is no such thing as a planned deviation. Planned deviations were often a SOP deviation supposed to justify changes from SOPs that would be utilized to carry out the operation over a certain period of time.

 

The current thinking by regulatory authorities is there is no such thing as a planned deviation. During a breakfast session at a recent PDA  Joint Regulatory Conference, a representative from the FDA stated, “it’s a very strange term, and it kind of makes your skin crawl a little bit”.

 

If you need to make a CAPA deviation change to a procedure, we suggest using the change control system to document. This may seem like a picky point in average deviation process flow. However, until the change is evaluated in process validation requirements, a short term deviation is still non compliance. The deviation process in manufacturing must product reliable and durable solutions. This standard deviation step by step process can only help to reduce quality issues in the long term, especially for large deviation issues. 

 

Q. What’s the best process for investigating deviations?

 

A. There is no single best process for investigating deviations. The ultimate goal of deviation investigations is to determine why something went wrong in the final pharmaceutical deviation report. Above all, understand what caused the deviation to go wrong and how to address the issue from reoccurring. To achieve successful resolution of deviations, keep the following in mind when searching for types of root causes:

 

  • A one-size investigation doesn’t fit all situations. Simple errors require simple documentation while more serious deviations require broader investigations.
  • The best tool to have is inquisitiveness during the 5why analysis. Ask yourself how far this process deviation could extend.
  • Widen your perspective. Look for ways to relate, not separate, similar issues across CAPA deviation investigations.
  • Human error in the 5whys is rarely a sufficient root cause.
  • Always verify information or your instincts and never assume you are correct without proper data to support your instincts.

 

Q. Why is human error not an acceptable finding for deviations?

 

A. The overuse of human error as a root cause to a deviation represents lost opportunities to reduce future issues. A root cause analysis must identity of the true root cause of the problem and not mask it. Sometimes in a rush to get to the root of the problem, the problem lies within the human error inside human error

 

There is a bigger root cause corrective action question that needs to be considered. The initial investigation should determine what the root causes are that led the employee to make the human error. Asking this question early in the root analysis leads to better identification for continuous improvement. It can also solidify agreement in the team regarding the cause analysis associated with improvement priorities. 

 

Root Cause Analysis Example

 

Let’s look at types of root causes that might help clarify examples of why human error can mask the real root cause of a deviation. Suppose, for example, you have a second shift manufacturing operator who continually forgets to sign the batch record for a specific product. This operator is the only one who seems to have this issue. Your initial investigation into the first occurrence of the issue determines a root cause of human error.

 

Because the operator works the second shift, it is inconvenient to interview him and find the root problem. This relies on the word of his supervisor as an important source that influences the root cause corrective action, which may not be the whole story. This small factor can impact the root causes of the bigger issue while the team may not recognize the significance. 

 

Root Cause Failure Analysis

 

You decide to retrain the operator on the proper use of filling out the form and skip the operator interview. This helps to increase the speed of the root cause failure analysis in order to complete the investigation in the allotted 30-day time frame. This scenario repeats itself 10 times over the course of four months. You finally decide to interview the operator directly after the root cause investigation is completed.

 

When you talk to the operator, he informs you of the process to sign the batch record when it needs to be signed. He must exit the aseptic core, degown and sign the batch record. Now, you finally begin to determine the root cause meaning based on the common repetition of employee actions. 

 

Root Analysis and Process Flow

 

The root cause analysis deviation unveils the operator leaves the product unattended when signing the batch record. After signing the batch record, he must then regown and return to work.  The operator tells you he chose to stay with the product and sign the batch record later. Consequently, he sometimes forgets to sign after the manufacturing run. In this simple exchange with the operator, you find the root cause of the repeat deviation is not a result of human error but a result of poor process flow.

 

Q. How much time should I allow for a deviation to be investigated?

 

A. Interpreting standard deviation often depends on the length of time it takes to complete an investigation. This can change depending on the complexity of the circumstances involved. Simple deviations can be completed in a short time frame, but more involved deviations will take longer. We recommend you set a root cause investigation time frame that is reasonable for the size of your organization. For example, you might indicate that investigations will be completed between 30–60 days after the documented deviation. This gives you some flexibility to conduct a proper search during root cause problem solving.

 

Q. Are out-of-specification (OOS) results considered deviations?

 

A. No. OOS results need to be investigated separately due to the potential impact to the product. If the root cause of the OOS cannot be attributed to laboratory error, you should initiate a deviation/investigation.  Additionally, a separate root cause tree can help determine what happened during product manufacturing that led to the erroneous laboratory result.

 

Published:

root cause analysis

 

 

 

 

Pharmaceutical Technology

Volume 45, Issue 4

Pages: 66, 65

 

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 

FDA Inspection: Remote vs. In-Person

Learn more about remote inspections, FDA inspection training and begin preparing now for next year’s FDA remote inspections.

 

“Physical inspections, especially when unannounced, are one of FDA’s most important tools to ensure drug safety and quality.”

 

REPORT 117 (2021): AGRICULTURE, RURAL DEVELOPMENT, FOOD AND DRUG ADMINISTRATION, AND RELATED AGENCIES APPROPRIATIONS BILL 

 

There will be a live demo of the world’s first multi-party immersive remote presence service by Avatour, as well as a breakdown of the U.S. House Appropriations Committee recently submitted an increase in budget for the Food and Drug Administration (FDA), including new funding for increased on-site inspections during 2022 and beyond. 

Earlier reports  also documented the incremental funding may be utilized for additional headcount to support the return to a normal rate of unannounced in-person FDA inspection events. International markets, including India and China, have also been mentioned as regions of interest due to previous 2020 travel complications due to the global COVID-19 pandemic.

In this webinar you will learn more about:

  • How the FDA will utilize remote inspections in the future based on these changes
  • Proactive companies who set compliance training exercises for their FDA inspection teams
  • Considerations for revising standard operating procedures based on virtual compliance
  • Virtual Audit Solutions for conducting training inspections similar to an FDA Audit
  • Take a virtual tour of the fastest growing remote inspections technology, Avatour
  • Best practices for partnering with the FDA during an unannounced inspection

 

Presenters

Devon Copley

CEO and Co-Founder of Avatour

An expert on live immersive technology, Devon has more than 20 years of experience in online media and VR. Previously, he was Head of Product for the Nokia OZO VR platform, where he expanded the OZO ecosystem to include live VR broadcast, next-generation immersive delivery, and multi-platform playback. Earlier, Devon co-founded the online media consulting firm Interocity (acquired by Chyron) and was VP of Customer Success at the leading cloud video platform Kaltura. Avatour is a new form of communication: the world’s first multi-party immersive remote presence service.

Remote Inspections

Eric Januszewski

Senior Director, Client Relations

As Regulatory Compliance Associates® Inc.’s Senior Director of Client Relations, Eric has focused on assisting European medical device and pharmaceutical companies gain market entry into the United States, helping provide solutions to increase market growth while focusing on quality and compliance. His experience includes providing support to a broad range of companies in operations, FDA and EU compliance management, change control processes, and audit preparation. Regulatory Compliance Associates® Inc. (RCA) provides worldwide solutions to the medical device and pharmaceutical industries for resolution of regulatory, compliance and quality challenges.

 

About RCA’s Pharmaceutical Consulting Services 

Regulatory Compliance Associates (RCA) has helped thousands of pharmaceutical companies meet regulatory, compliance, quality assurance, and remediation challenges. With more than 20 years of experience with FDA, Health Canada, EU and global regulatory agencies worldwide, Regulatory Compliance Associates® offers leading pharmaceutical consultants. We’re one of the few pharma consulting companies that can help you navigate the challenges associated with industry regulations.

Our pharmaceutical consulting firm includes over 500 seasoned FDA, Health Canada & EU compliance consultants and regulatory affairs experts who understand industry complexities. It’s a pharma consultancy founded by regulatory compliance executives from the pharmaceutical industry. Every pharmaceutical industry consultant on the Regulatory Compliance Associates team knows the unique inner workings of the regulatory process. 

 

Client Solutions

Whether you’re in the product planning, development or pharmaceutical lifecycle management stage or need a remediation strategy for a compliance crisis, Regulatory Compliance Associates will guide you through every pharmaceutical consulting step of the regulatory process. Our pharmaceutical consulting Experts will create a customized approach depending on your product and company’s individual needs. Our regulatory compliance clients include:

  • Companies new to FDA, Health Canada or EU regulations and regulatory compliance
  • Start-up organizations with novel submissions to 510(k) submissions from multi-national corporations
  • Investment firms seeking private equity due diligence for pre-acquisition and post-deal research
  • Law firms seeking pharmaceutical consulting firm expertise in the remediation of warning letters, consent decrees, 483’s or import bans

 

Regulatory Affairs

Regulatory affairs is Regulatory Compliance Associates backbone. We exceed other pharma consulting companies with industry experts experienced in complexities of the pharmaceutical and biopharmaceutical industries. Our pharma consulting expertise spans all facets and levels of Regulatory Affairs. Additionally, we specialize in Regulatory Support for New Products to Life Cycle Management, Outsourced Regulatory Affairs, Submissions, Training, and more.

As your partner, we can negotiate the potential assessment minefield of regulatory compliance services with insight, hindsight, and the clear advantage of our breadth and depth of knowledge and regulatory compliance consulting. We offer the following pharma consulting regulatory affairs services for pharmaceutical companies.

  • New Product Support
  • Product Lifecycle
  • Other Regulatory Services
  • Combination Products

 

Compliance Assurance

The regulations process surrounding pharmaceutical companies can be tricky for even the most experienced industry veteran to understand. Just one misstep could mean significant and lasting consequences for your business. At Regulatory Compliance Associates, we offer the pharma consulting experience and pharma consultants necessary to guide you an FDA inspection & quality compliance process.

  • Assessments
  • Audits
  • Regulatory Agency Response
  • Preparation and Training
  • Inspection Readiness
  • Data Integrity

 

Quality Assurance

Regulatory Compliance Associates Quality consulting includes assessments, strategy, implementations, staff augmentations, and identification of quality metrics to ensure continuous improvement. Our pharma consultants understand the strategic thinking needed to align your business needs and goals. Regulatory Compliance Associates quality assurance services include quality experts with experience spanning major corporations and start-ups. Our pharmaceutical consulting firm knows firsthand how to achieve, maintain, and improve quality. Finally, our regulatory compliance services team excels in transferring continuous improvement knowledge to your organization.

  • 21 CFR Part 11
  • Data Integrity
  • Manufacturing Support
  • Facility Support
  • Quality Metrics

 

Remediation Services 

Regulatory Compliance Associates has significant experience and a proven remediation services approach to managing FDA Warning Letters, Consent Decrees, and other serious regulatory situations. Our pharma consultants know how to partner with executive, legal, and communication teams. Each RCA pharma consulting Expert will develop a response that will be accepted by the regulatory agency and be realistic to execute.

Regulatory Compliance Associates pharma regulatory consultants will develop a comprehensive proof book of documented evidence demonstrating the corrective action taken to remediate non-compliant issues. In addition, each Regulatory Compliance Associates pharma consulting Expert understands FDA inspection & compliance enforcement. We’ll prepare a comprehensive pharma consulting strategy to assist in your remediation efforts, drive continuous improvement, and maintain regulatory compliance with the regulations.

  • Regulatory Action
  • Regulatory Compliance
  • Regulatory Enforcement
  • Warning Letter
  • 483 Observation
  • Oversight Services
  • Risk Management Plan

 

About Regulatory Compliance Associates

fda inspectionRegulatory Compliance Associates® (RCA) provides pharmaceutical consulting to the following industries for resolution of life science challenges:

We understand the complexities of running a life science business and possess areas of expertise that include every facet of R&D, operations, regulatory affairs, quality, and manufacturing. We are used to working on the front lines and thriving in the scrutiny of FDA, Health Canada, MHRA and globally-regulated companies.

As your partners, we can negotiate the potential minefield of regulatory compliance and regulatory due diligence with insight, hindsight, and the clear advantage of our unique expertise and experience.

  • Founded in 2000
  • Headquartered in Wisconsin (USA)
  • Expertise backed by over 500 industry subject matter experts
  • Acquired by Sotera Health in 2021

 

About Sotera Health

The name Sotera Health was inspired by Soteria, the Greek goddess of safety, and reflects the Company’s unwavering commitment to its mission, Safeguarding Global Health®.

Sotera Health Company, along with its three best-in-class businesses – Sterigenics®Nordion® and Nelson Labs®, is a leading global provider of mission-critical end-to-end sterilization solutions and lab testing and advisory services for the healthcare industry. With a combined tenure across our businesses of nearly 200 years and our industry-recognized scientific and technological expertise, we help to ensure the safety of over 190 million patients and healthcare practitioners around the world every year.

We are a trusted partner to 5,800+ customers in over 50 countries, including 40 of the top 50 medical device companies and 9 of the top 10 pharmaceutical companies.

 

Commitment to Quality

Our Certificate of Registration demonstrates that our Quality Management System meets the requirements of ISO 9001:2015, an internationally recognized standard of quality.

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 

Compliance Audit

Background

Qualitestregulatory compliance, a leading developer and manufacturer of affordable, high-quality generic pharmaceuticals, launched a compliance audit strategy to prepared for upcoming FDA inspections.

To protect public safety, the U.S. Food and Drug Administration (FDA) routines audits and assesses companies that manufacture and package drugs. Qualitest wanted to better understand the unique conditions that violate FDA regulations. The leadership team was not in fear of receiving a FDA warning letter. However, being proactive to stay in compliance was the root focus of the strategy.

Solution

Qualitest engaged Regulatory Compliance Associates® Inc. (RCA) to prepare the company in advance of an FDA Audit. RCA reviewed over 170 investigations relating to Qualitest operations to suggest improvements and identify areas of risk.

RCA conducted a mock audit to both ensure the compliance of the client and to maintain their readiness for the actual FDA inspection. RCA’s experienced team of ASQ-CQA and Exemplar Global certified auditors was available to perform a range of internal audit services, including:

  • Supplier
  • API
  • Contact Manufactures (CMO)
  • Internal
  • Quality Systems
  • Baseline
  • Verification
  • Clinical (CRO) and Clinical Manufacturing
  • Data Integrity
  • 503A & 503B
  • Combination Products

By working efficiently and by tapping into scheduled downtime, RCA was able to complete the project in three months.

Result

Qualitest implemented the recommended changes, including company-wide training, and received no observations during the next FDA inspection.

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage.